I'm working on an assignment, writing a few hundred words of awareness content for a client on each of a range of information security topics - all topics on which we have prepared entire awareness modules previously. "Privacy", for instance and, today, "Portable IT device security".
I estimated taking an hour or two to prepare each piece. That turned out to be underestimated by about 100%, partly because it's a new format for a new client. As I settle in to the routine and respond to feedback from the client, it's getting easier and quicker with each passing topic. Hopefully I'll hit my estimate by the time we're done!
The subject matter is the easy bit. The challenge is to condense each topic to its bare essentials, express them in a readable and engaging style, and close with some pragmatic action-oriented advice. There's quite a variety of information security risks and controls relevant to, say, portable IT devices, lots of situations and threats to consider, and lots of things to advise people to do. I could easily write thousands of words and throw in a few diagrams, mind maps and figures each worth thousands more ... but for this client I only have a page or two to play with. I spend much of the time deciding what to leave out, then carefully shaving superfluous words from what remains.
In the end, we're hoping the awareness material will grab someone's attention for a brief moment, register with them and influence their behavior - easier said than done in the modern age. We're all constantly bombarded by information. As I compose these very words on one screen, I'm listening to music, watching stuff flow past on another screen, thinking about emails and to-do lists and Anzac day, and idly wondering what's for tea. With so much happening on interrupt these days, it's tougher than ever to concentrate on and complete specific tasks. Deadlines are under threat as we constantly deal with things, adjust priorities and try not to lose the tattered remains of our sanity.
I'm in the fortunate position of working from a home office. I'm in charge here, in control of my environment and workload. In the typical modern open-plan office or Dilbert's cubicle-land, the distractions must be immense, especially with those portable IT devices constantly bleeping for our attention like annoying electronic toddlers. "Office hours" have become irrelevant for many as commuting and home time are consumed by left-over tasks and invaded by further distractions, while at the same time personal life intrudes into the daily grind with social media messages and texts from friends and rellies - thanks largely to those portable IT devices again.
So much for work-life balance. What an oxymoron.
There's a lot to be said for separating private and working lives, prohibiting private social media access in the office for example. On the other hand, BYOD goes the other way: fine, go ahead, use your pink jewel-studded Barbie smartphone for work and, yes, it's OK to take personal calls and tweet if you must, but if the boss calls at 9:30 pm, you had better pick up.
The consequences go further than stress and blurred responsibilities. Information overload is A Thing. The human race is distracted to the point of losing sight of important stuff which (to me at least) includes information risk, security, privacy And All That.
So, the job of a security awareness pro comes down to catching people's attention and exploiting fleeting opportunities. I don't tweet but patently I do blog. Our awareness materials span a range from about 100 words to a few thousands, in a variety of formats and styles. As far as possible we try to inject some life and interest into the dry subject matter, and generally make an impact.
A lasting impact, now that would be good. Hmmm. What else can we do to hammer this stuff home? Suggestions please, in no more than 2 or 3 short words ... and forgive me if I don't respond. Must dash.