We update this blog frequently in connection with the security awareness materials we're preparing, on security awareness techniques in general, or on hot infosec topics of the day. Blogging helps get our thoughts in order and expand on the thinking and research that goes into the NoticeBored modules. More than just an account of what's going on, updating the blog (including this very item) is an integral part of the production process.
A perennial theme is that it's harder than it appears to security awareness properly. Anyone can scrabble together and push out a crude mishmash of awareness content (typically stealing or plagiarizing other people's intellectual property - tut tut) but if they don't really appreciate what it all means, nor how to apply the principles of awareness, training and adult education, they are unlikely to achieve much. It's all too easy to add to the clutter and noise of modern life, more junk than mail.
Simply understanding what awareness is intended to achieve is a challenge for some! As I blogged the other day, being aware is not the ultimate goal, just another step on the journey - a crucial distinction.
It could be said that this lack of understanding, rather than the usual lame excuse - lack of funds - is the main reason that security awareness programs falter or fail. I'm sure there are many other reasons too:
- Lack of creativity: people gradually tune-out of dull, uninspiring approaches and come to ignore the same old same old (they get Bored of the Notices). If all the awareness program ever blabbers on about is compliance, privacy and phishing, over and over like a cracked record, don't be surprised if the audience nods off or slips quietly away for something more stimulating;
- Poor quality communications: a lot of this stuff is technical and complex, so there's an art to explaining it in terms that resonate with the audience. Simply writing and drawing things professionally takes skill, effort and practice, and time (perhaps our most valuable resource). A perfectionist by nature, I cringe when I look back at some of the awareness content we first delivered when we launched this service, or for that matter when I see a simple typo in this blog or an error in something we delivered just last month. I hope I never stop learning and improving;
- Lack of skills and competencies: I hinted at this just a moment ago. Awareness is an interpersonal/human activity, while information security is mostly about the technology. Spot the difference! Few cybersecurity professionals, in particular, are comfortable, let alone competent at relating to ordinary non-tech people. Disparagingly and dismissively referring to them as "users" is a massive clue about a lack of respect. Even presidents need to appreciate the importance of earning and retaining the trust and support of the people. I've blogged about innovative approaches such as operant conditioning and treating security awareness as a (beneficial!) form of social engineering;
- Limited or waning support, particularly from influential managers and other individuals. Awareness is a cultural issue, hence the tone at the top can mine or undermine it;
- Naive, superficial approaches with a preponderance of childish cartoons, games and trivia. Having fun is appropriate in moderation but some of this stuff is deadly serious and should not be taken too lightly;
- Weak or absent awareness metrics: if it's uncertain whether the awareness program is or is not having a positive effect on the organization, creating more value than it expends, then don't be surprised at lackluster support from management and limited funding (as I said, a lame excuse: rather than just bemoaning the fact, ask why the budget is inadequate, then work hard to address the reasons);
- Lack of focus and purpose: in the corporate context, security awareness has to support the achievement of the organization's business objectives, otherwise it's irrelevant, unhelpful and doomed. Awareness is best designed-in as an integral part of the information risk and security machinery, greasing the cogs and oiling the bearings as it were;
- Conversely, there's myopia: intense focus on too narrow a field of view, ignoring or failing to address the wider issues, not least how information risk and security concerns the organization, its business and its people. It's really not hard to think up dozens of potential topic areas, turning a creative awareness program into something much richer and more vibrant than the norm. Just lose the blinkers;
- Irrelevance: a tricky one, this, given the diversity of the intended audiences and the topics. People are unlikely to be equally interested on every awareness item, yet others may benefit, hence the need for a spectrum, a mixture of ingredients that, together, bake a tasty cake;
- Lack of direction: where are we going with this? Good question! This blog meanders from side to side, even glancing off at tangents some times but generally it tends back towards the middle ground: awareness is an essential and valuable means of mitigating information risks. Thinking about your awareness program, do you have a crystal clear vision of what it is intended to achieve, and how it is going to do that? What's your cunning plan?
Anyway, I encourage you to browse all 50 of best infosec blogs and track the ones that appeal to your imagination. Part of the fun of securing information is that it is a complex and dynamic enterprise. We need all the help and inspiration we can get!