Security Experts:

Spotting a Norman: How to Root Out Those Wasting Organizational Resources

In the 2016 film “Norman: The Moderate Rise and Tragic Fall of a New York Fixer”, Norman, the lead character, appears to be a successful businessman on the surface. Only after we begin to dig deeper do we learn that Norman is essentially more a complexly woven web of lies and inconsistencies than he is a real person. In other words, Norman is not at all as he seems.

Unfortunately, in the field of information security, there is no shortage of Normans. How many times have you met someone full of promises and big on talk, only to be disappointed by what results from your engagement with them? Normans not only let organizations down, they adversely affect the information security postures of those organizations by taking valuable time and resources away from other value-added activities.

To help organizations avoid wasting their time with Normans, I offer ten ways to spot one:

1. Can’t get a straight answer: Normans are very good at evading tough questions by using complex, verbose monologues in place of answers or by changing the subject entirely.If you ask someone a simple question, they should be able to give you a simple answer. If you’re more confused after you ask the question than before, beware.

2. Narratives, rather than facts: It’s hard to argue with facts. Nonetheless, some people try to. Normans are quite nimble when it comes to putting together narratives and making those narratives sound like a true story. When called on their story telling or caught in an inconsistency, the narrative quickly morphs into its next version. If you find that the story keeps changing, it could be a sign that you’ve got a Norman on your hands.

3. Insults and blame:  Don’t expect praise from a Norman. They will almost never praise another professional, and when they do, it’s usually because they’re looking to get something in exchange for their praise.  Beyond that, it is quite common for Normans to criticize, belittle, and insult the accomplishments of others and to blame others when things aren’t going as promised.  All of these are mechanisms by which Normans keep the heat on others, prey on the self-doubt of their colleagues, and keep down those with low self-esteem who might be on to them.  If you know someone who has these traits, they might be a Norman.

4. Moving from one thing to the next: Many people find it challenging to stay focused and on course amidst distractions.  Normans know this and use it to their advantage.  One way to keep people from asking too many questions on any given topic is to distract them with another one.  If you find that someone constantly moves from one thing to the next without ever finishing anything, they could be a Norman.

5. No insight into what they are doing: Normans are quite good at withholding information and providing very little insight into what they are doing. If, no matter how many times you ask someone, you can’t seem to understand what it is they’ve been spending their time on, chances are, they’re a Norman.

6. No tangible accomplishments:  If you had a dollar for every word a Norman uttered, you might stand a chance at getting back the amount of money they’ve gotten out of you. Talk is cheap though. Action, on the other hand, is contrary to the nature of a Norman. If you can’t seem to identify any tangible accomplishments, regardless of how much money you’ve spent or invested, you might be paying or funding a Norman.

7. Endless pursuit of funding: Unless they are independently wealthy, Normans, like most of us, need to make a living. Unfortunately, rather than invest their time and energy into honest work, Normans invest in fundraising. If you know someone who is always in pursuit of funding for their latest project, or is otherwise always looking for money, they’re probably a Norman.

8. Shreds of truth: As the Scottish author William McIlvanney wrote, "good lies need a leavening of truth."  One great way to live a life of lies is to make it as difficult as possible to refute those lies. And one way that Normans can make it very difficult to refute their lies is to include a grain of truth in them. If you find yourself constantly saddled with lies that are difficult to counter, you might have a Norman on your hands.

9. Leverage: It’s a tough world out there, and Normans survive by extracting, or trying to extract leverage at every possible opportunity.  If you can’t seem to have a simple conversation with someone without that person trying to get the upper hand, you’re likely engaging with a Norman.

10. Always happy to take a favor: We all know people who call you for favors, and are then mysteriously busy or unavailable when you need one in return. True friends and true colleagues don’t keep a tally of how many favors one has done for the other, of course.  Nonetheless, if you take a step back one day and realize that the scale is tipped heavily in favor of your supposed friend or colleague, you’re likely doing favors for a Norman.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.