Fresh Thoughts #20: Brown M&Ms & Trusting Your Team

bowl of M&Ms

Well, that didn't last long. Last week I wrote about the influx of catfights and pigeons into my back garden. Then on Thursday afternoon, I met Mabel - a 1-year-old rescue pup - and since then, it's been about gaining and building her trust.

But how?

By signalling.

For Mabel, it's being prepared to let her sit on my knee for 2-hours. Feeding her. And reassuring her that she doesn't need to go into situations that scare her.

Signals and signalling are a critical part of the human/animal side of trust and security.

Van Halen's Brown M&Ms

At every venue, artists have a rider - a contract covering everything they need to perform. Van Halen's rider famously contained a clause requiring a bowl of M&Ms... but no brown ones.

While easily dismissed as rockstars being picky - it was anything but.

It was an insignificant test. A test to check if the venue had read the rider accurately - and ensured that all of the essential, safety-critical points had been covered.

In his memoir, David Lee Roth - Van Halen's lead singer - said, "When I would walk backstage, if I saw a brown M&M in that bowl, well, we'd line check the entire production. Guaranteed you're going to arrive at a technical error... Guaranteed you'd run into a problem."

The absence of brown M&Ms created a reliable signal of trustworthiness - that the venue had paid attention to the small details... and increased confidence that the critical tasks had been dealt with.

How Do I Know if I Can Trust My Team to Do The "Right Thing"?

An honest question that is often answered by glib, unhelpful responses...

  • "Well, you hired them, didn't you... so you have to trust them." - Erm... not always, it's more common to inherit a team. 🤔
  • "You can't. As the saying goes... To 'ere is human. To forgive, divine." - An absolutist answer and equally useless.

So what is a better answer?


Regular phishing simulation and security awareness training are crucial for all cybersecurity programs. Yes, some people will be caught in each simulation - a momentary lapse of judgement. But a repeated pattern of failures across multiple simulations and a dismissive attitude toward security awareness and understanding the risks your business faces are signals and tell a different story.

This is why phishing simulations, security awareness training, and Fresh Security's Human Security radar (this email) contribute to a high-quality signal. One that shows you can or cannot trust certain people within your team to do the "right thing".

June 21, 2022
2 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

chalk board with math formulas

Fresh Thoughts #18: Policies, Plans and Bad Weather

In business, there's a plan. But unlike a boat with a rudder and propulsion, there isn't a mechanical way to translate the plan into action. In business, we use policies.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868