Letter from the CISO, Vol 2 Issue 3
Washington University Community:
Want to know how to be “enough” of an information security expert?
In “Outliers,” Malcolm Gladwell popularized the idea of needing 10,000 hours of practice to become an expert.
I studied karate for many years, and one of my sensei’s (instructor’s) expectations was that once he had taught me a technique, I should be able to teach it to others. As a white or yellow belt novice, he adjusted the expectations to match his students’ general lack of expertise, but we were still frequently called upon to practice the techniques we’d learned and teach them to new students as they joined the dojo.
In an earlier column, I invited everyone at WashU to be part of our Information Security team and explained how essential it is for each of us to help protect all of us.
Last month I encouraged you to help friends and family members who might fall victim to cyber criminals, but I provided only limited advice on how to do so.
I clearly can’t ask each of you to devote 10,000 hours to become an expert (that’s five years of full-time work!), but I can suggest a different way to make everyone think you’re an expert.
How can you become an expert? “See one, do one, teach one.”
The phrase “see one, do one, teach one” is often used among medical personnel, particularly trainees focused in surgical areas, but it can also be applied to karate, cybersecurity, and many other areas.
Each month, this newsletter provides lots of information about scams we are seeing and steps you can take to protect yourself and the university. All you need to do is pick one or two tips and share them with friends and relatives each month.
Fight off an attack . . .
If you become the “expert,” your mother or father will call you when someone offers to remove the viruses from their computer or sell them an extended warranty on their car. You can then help them exercise the NUMBER 1 defense against cyber criminals: slow down and examine the situation with skepticism and a little paranoia (as I wrote about in my August 2021 letter – see ).
. . . and improve their defenses
While you are at it, see if you can help them set up 2-Factor Authentication (2FA) logins for their email, social media, online stores, and bank accounts.
I’ll warn you that this can be difficult. I tried to do this with my parents when they were in the late 80s, and it simply proved impossible. I was able to get them to use different and unique passwords for their various accounts, which also allowed me to obtain and secure them, making it much easier to take over managing their finances when that became necessary.
To help them use different passwords for different accounts, try writing them down in a book they can secure, using the built-in password manager in their browser, or, best of all, use a password manager (see https://informationsecurity.wustl.edu/the-magical-world-of-password-managers/ and https://informationsecurity.wustl.edu/get-inside-the-hacker-mindset-to-create-stronger-passwords/ for more information.)
As brown and black belts, our sensei expected us to teach everything we had already learned at the skill level expected of brown and black belts.
Compared to many people in your life, you are a technology and security brown or black belt. It might not always feel like it to you, but by teaching others a few tricks, you will become more expert and proficient.
Thank you for reading and being part of the university’s Information Security team!
Good luck, and please be careful out there!
-Chris Shull, CISO