Happy Sunday, everyone! I trust you are all having a great weekend. It’s been a nice weekend for me so far, especially in preparation for my long vacation, or “hibernation” as I’m fondly calling it. ☺️ I want to ensure I’ve things in order and have accomplished as much as possible at work, so as to not leave anyone hanging, nor to place any additional burden on my colleagues.
I’m sure that I’ll still probably check in on occasion (as in checking emails and such), but I’m going to try my best to do that as little as possible. I’ll be reminding myself that the time off is something I have earned, and I should not feel guilty by taking it, or feeling obligated to remain connected to work. I have no trouble recommending the same thing to others—certainly a classic case of “do what I say, not as I do”. 😂
This Got Me Thinking
This past week, we dealt with a minor security incident with a customer computer. They were trying to download and install some software, and ended up obtaining it from a questionable website. Naturally, the software had malware contained within it. The security teams were able to isolate it and block its internet access so that the device could be analyzed and our team could have it wiped and given back to the customer. Had things not happened so quickly, it could have been much more serious.
This got me thinking about a phrase I see and hear quite often: “insider threat.”
I hear it in meetings, read it in articles, and especially hear it in podcasts. Every time, something about it feels off. I never really could place exactly why until this incident occurred. A threat implies intent. It paints someone as an adversary, someone actively working against you. But that’s not what most internal security incidents actually look like.
At work, when I think about the people I’m trying to support—the researchers, the staff, the faculty who are just trying to get their work done—I don’t see threats. I see people navigating complex systems with limited training and too many competing demands on their attention. I see someone who clicked a link because it looked real, or someone who installed software from a questionable site simply because they had a legitimate need to address a problem.
These aren’t malicious acts. They’re human ones.
I think that’s where “insider risk” feels more honest to me. Risk acknowledges vulnerability without assigning blame. It opens the door for conversation, for education, for building trust. It lets me approach someone with curiosity instead of suspicion—“What made that email look legitimate?” rather than “Why didn’t you know better?”
Here’s what I’m learning: if we want people to care about security, we have to show them we care about them first. Not as potential threats to monitor, but as partners we want to support. They need to feel like they can come to us for help and guidance, rather than fear we exist only to tell them “no”, and go about finding a solution on their own, which could end in disaster.
Maybe the shift from “threat” to “risk” seems small. But small shifts in language can create big shifts in culture. And that’s the kind of security I want to help build.
Lastly, here’s a look back at what I wore to work this past week. Only two more work days left for me in the week ahead, so my next recap will be very light.
I haven’t yet decided if I will do any posting on my blog during my “hibernation” or not. I’m not going to force it out of me to post, but if something feels right, I certainly will. The only thing I won’t be posting will be any outfits. Those will resume when I’m back at work after the new year.
In any case, I hope you all have a wonderful rest of your weekend. Also, I hope you have a safe and wonderful holiday season! 🦃🎄
-Terry
Leave a Reply