I Was Wrong About Security (Again)
On Friday of last week, a few GreyCastlers spent some time at the range with the FBI Albany Division SWAT team.
We started with the obligatory safety briefing, then talked training and qualifications for a while and then we shot firearms for a few hours.
I love my job.
During the course of the conversation, the SWAT Team Leader discussed the rigor and frequency of the squad’s training program. On average, each operator fires 10,000 rounds each year. Some of these are in basic training drills, where the operator is simply shooting at a target. Some these rounds are in live fire drills, where the operator is timed, under duress and working with a team. And yet another bunch of rounds are fired in what’s called force-on-force. This is where someone is firing back (they’re using non-lethal ammo, of course).
When asked why they spent so much time training, the Team Leader stressed the need for “unconscious competence” in their profession. This is a term that has been coming up more in information security circles, too, particularly regarding operational security.
The SWAT team did a quick demonstration of a dynamic entry before we all geared up and grabbed guns. They deployed a flashbang, kicked a (virtual) door in, dropped a few tangos and rescued the hostage. It was over in under three seconds.
These guys are good. Really good.
What do you expect for individuals who qualify with their weapons four times a month under tight tolerances and grueling conditions?
After the course I started thinking again about how unconscious competence can be achieved in our business. Let’s rewind a bit.
Last week I suggested that people weren’t the biggest problem in information security. I was wrong.
Human beings, despite having an oversized brain and opposing thumbs, are naturally bad at interpreting risk. We are by far, the biggest problem in information security. We are the only reason that training programs are required.
What if employees were required to qualify four times a month like the SWAT team? What if we could get employees to achieve unconscious competence?
Most of the people reading this will already recognize that changing people’s behavior’s requires a bit of psychology. Up until recently we’ve focused on learning sciences as they relate to content and delivery – relevance, engagement, tempo and duration.
But what if we applied a secondary model to this, one that starts out suggesting that people don’t know what they don’t know.
Introducing the “Four Stages of Competence“.
This learning model has been around for some time (I first learned about it in the October/November 2012 issue of Handguns Magazine) and it makes a lot of sense.
We plan to do some research on this and continue to think about how we can integrate this into our awareness and education programs.
If it’s good enough for SWAT it’s good enough for us.