A significant challenge we face on a daily basis is to convince people to drop their preconceptions, opening their eyes and ears to new stuff and considering things more broadly.
Here are three illustrative examples:
- We are concerned about information risks defined as risks to or involving information in all its forms, not just computer data. Information is the asset we are trying to protect, our prime focus. IT- or cyber-security is clearly a major part of it these days, but there's more besides. There are, have always been, and will always be, shed-loads of incidents involving information that have little if anything to do with computers, networks or technology.
- Information incidents are not limited to the loss of confidentiality. Other aspects such as integrity and availability of information are just as important, sometimes more so. Details of a hospital patient's medication, for instance, should remain private but for obvious reasons must remain reasonably accurate, complete and accessible when needed by the nurses administering the drugs. Compromises are often needed in the security arrangements in order to keep things in balance, meaning that it is important to consider all aspects.
- Information security is not purely about locking things (especially IT things) down and preventing inappropriate activities. This point flows from the other two but is worth emphasizing separately, I feel. Not only is it literally impossible to eliminate information risk completely, but that is not a realistic objective anyway. Although we try to avoid or reduce unacceptable risks, some risks are worth taking. This leads to a different perspective on information security as a business-enabler and assurance activity, as much as a risk-reduction, controlling or compliance activity.
Dealing with preconceptions is tricky because they are often innate, unrecognized, deeply entrenched and cultural. People have certain expectations about what security awareness and training is all about, how it should be done, what it should or should not cover, and so forth. Their prejudices and biases can make it tough to get alternative perspectives and points across. In the extreme, they may tune out, completely ignoring or totally rejecting things that don't fit their preconceptions, their world view.
Worse still, we infosec pros are humans too (believe it or not!). We're not immune to preconception, prejudice and bias. Many of us are unnaturally passionate about this stuff. This very rant is more than just a hint! I maintain, though, that being sufficiently self-aware to acknowledge our limitations is an important step towards surmounting them.
I'm going to leave it there for now, except for this parting thought for the day. The way we express stuff is just as important as what we are communicating. Security awareness and training is an emotional activity. If we fail to engage with our audiences on a personal level, we might as well not even bother. Remember this the next time you are writing a security policy ... or blogging about infosec [yep, do as I say, not as I do!].