Though not using the actual term, he's talking about achieving a widespread culture of security throughout the organization, and in fact in a still wider sphere taking in its customers, business contacts and even dare I say its auditors. You can't put all those people through security training as such, but you can create a level of awareness. As he puts it, 'weaving security in to routine activities' is one way to make it an inherent part of the organization's fabric. Here's a few more suggestions:
"But much more importantly, we weave security awareness into a lot of activities. Listen to our quarterly investor calls, and you'll hear our executives mention the importance of security. Employees go to our all-hands meetings, and hear those same executives talk about security. The four adjectives we've often used to describe the company are "fast, reliable, scalable, and secure". Social engineering attempts get broadcast to a mailing list (very entertaining reading for everyone answering a published telephone number). And that doesn't count all of the organizations that interact with security as part of their routine. And that's really what security awareness is about: are your employees thinking about security when it's actually relevant? If they are, you've succeeded. If they aren't, no amount of self-enclosed "awareness training" is going to fix it. Except, of course, to let you check the box for your auditors."
- Informing and motivating managers, and indeed other influential/powerful people (like auditors) to pay attention to information security matters, and pass on their concern to staff ('walking the talk' and 'leading by example' actually work!);
- Encouraging IT professionals to support the cause of information security when interacting with IT systems and, yes, even with real living, breathing people;
- Using marketing, advertizing and promotional techniques to create a security brand, ideally forming an integral part of the organization's overall branding, positioning and corporate image;
- Using creative awareness materials on interesting information security topics for a vibrant and memorable campaign;
- Making the campaign an ongoing, continuous, year-round program of awareness activities, helping to embed and reinforce the cultural change as a permanent fixture, not a one-off event just to satisfy compliance obligations.