Today I'm revising the InfoSec 101 presentation for general employees, starting with a brief introductory slide addressing questions along the lines of "What's the point of information security?" and "Why are you even telling me about it?".
It's not as easy as you might think to answer such fundamental questions, simply, for someone who may have no background or interest in the topic. So I went Googling for inspiration, and came across this neat list of infosec benefits from a company called Global Strategic:
- Demonstrates a clear commitment to data security- including confidentiality and strict accessibility rules;
- Provides procedures to manage risk;
- Keeps confidential information secure;
- Provides a significant competitive advantage;
- Ensures a secure exchange of information;
- Creates consistency in the delivery our services;
- Allows for inter-operability between organizations or groups within an organization;
- Builds a culture of security;
- Protects the company, assets, shareholders, employees and clients;
- Gives assurance that a third party provider takes your data security (and your business) as seriously as you do
Some of those are not terribly helpful for our awareness purposes. A benefit of information security is security or protection [of information], yes, but that's obvious from the phrase! It doesn't move us forward.
Risk management is definitely a core purpose of infosec. I'm not keen on the idea that infosec 'provides procedures' though. Infosec is an overall approach, rather than simply a set of procedures or processes. "Infosec lets us manage risks" is closer to the mark, I think, or maybe "We use infosec to manage information risks". Hmmm.
Competitive advantage is another good one, although I think I would prefer talk about 'enabling the business'. Whereas managers are presumably familiar with the concept of competitive advantage, I'm not sure about general employees. 'Enabling' is a fairly complex concept too, so "Infosec is good for business" would be an even better way to express it.
Re the notions of securely exchanging information and inter-operability: those seem quite narrow and specific to me - parts of infosec, for sure, but arguably too obscure for a relatively naive audience. They are technocentric, too, whereas we are keen to position infosec more broadly than just IT or cybersecurity.
Consistency of service delivery reminds me of the CIA triad, an important point since most people naturally think infosec is just about secrecy. I'll have to figure out how to put that, if at all.
I like the point about infosec building 'a culture of security', although it is arguably too vague. We can express the notion as "The way we do things here".
Assurance is yet another important but fairly obscure concept. In plain language, 'trust' is simpler. Infosec is about building (generating and maintaining) trust, being able to trust the organization.
Aside from those points, what else might we say? Maybe something about safety? Compliance is another key driver, well worth mentioning I think.
I'll revise the PowerPoint slide and speaker notes accordingly, and will continue refining the messages as I continue researching and contemplating this topic. Meanwhile, there are about a dozen more slides to update in that presentation, and several more presentations to revise. It's easy for this perfectionist to get completely bogged-down!