While researching competitive intelligence today, I came across Glassdoor.com, a site that lets employees share their opinions of their employers. It is evidently yet another jobs site that aggregates vacancy notices from various sources (for a hefty fee to its advertisers, no doubt). Purely out of curiosity, I checked the current listings for security awareness jobs and found a tidy stack of vacancies including one at Disney's IT function and another at a US defense contractor. I didn't notice their salaries, but I suspect both are offering many times what it would cost them to subscribe to an awareness service such as
NoticeBored. They all seem to want people to prepare their awareness materials from scratch, implying that they each consider themselves "special". And they are asking for qualified, experienced infosec pros with technical writing skills. [Just glance at the average corporate security procedure or guideline to see how rare that particular combination is!]
Get real! It really doesn't matter much what industry segment you occupy: information is information is information. Risk is risk is risk. Security is ...
Oh sure, every organization has its foibles. Of course there are differences in organization structures, security strategies, compliance requirements, policies & procedures, technologies, people, locations etc. but taken as a whole, there is far more in common than the job advertisers seem to think.
"Special" is fine so long as they have the resources to employ "specialists", but times is hard. Starting with good quality generic security awareness materials will save them big bucks, even if they feel the need to employ someone to take the supplied content, tart it up and spray it out, or better still, a people-person to interact with and engage employees on a wide variety of information security topics, perhaps even a social engineer. There is plenty of scope for creativity there.
Surely a company such as Disney has a bit of a clue in the creativity sphere? Or are they doomed to do the same things over and over, vainly hoping for a magic spell?
Having someone like us - or indeed our erstwhile competitors - research and write the base security awareness materials for you frees you to do the creative delivery bit: that's where you add the most value, and the bit that is most often neglected. If you seriously think the state of the art in security awareness is to have a deadly dull Sharepoint area on your intranet, stuffed with a random assortment of boring, largely out of date policies and other junk, liberally sprinkled throughout with legalese and dire warnings about the consequences of noncompliance, then good luck to the poor sod who accepts your job offer. Please call at reception for your regulation corporate straightjacket on arrival.