Written by Steve Simpson, Chief Information Officer at ES2
Is there anything that is treated more apathetically in corporate education processes than finding out that you have to do the Security Awareness module? Having been an information security professional for many years now, I still get a sinking feeling when I receive that message telling me click on the link to undergo the awareness training. Even my passion for this topic does not help me look forward to this event. I recall one time where I was reduced to taking a series of screen shots for every page displayed so that I could just go to the quiz at the end and then review the screenshots of the scenarios to answer the questions. There is no way that I am the only person to have come up with this solution, which does nothing for me (or other users), nothing for the company and causes no improvement in the awareness of security aspects. For me the lack of enthusiasm could be just because it’s a basic part of a topic that I know and love so well, but that does not help to account for why it is such a common reaction and I believe it may be the way that such learning modules are presented to us that results in such an unhelpful attitude.
As a security professional, I find that I am quite jealous of the way that Work, Health and Safety (WHS) has become such an accepted and noted part of corporate education. WHS has actually become an integral component of corporate culture, everyone seems to know their role as part of the big health and safety picture. In the resources industry this is taken to the extreme, where some company’s even forbid staff (and contractors!) to cross the road except at a designated crossing, but I see more realistic evidence in most organisations whatever their industry vertical. Why is it that information security is not currently seen to be an equally integral part of corporate culture? Surely this is the Nirvana of all security professionals, to have information security become an integral part of the culture of a business. I suspect that at least part of the reason for failure to date is in the history of our profession. For many years security was about blocking bad things and sometimes the link to bad things was a pretty tenuous thing. Reporting always had a negative overview and rarely included detail of how threats would impact the business as a whole. The security manager made the decision to say no to certain practices and everyone else had to go along with that. Luckily, this attitude in security professionals is greatly reduced these days. The vast majority of us have a greater understanding of our role these days and advise on risk rather than just saying no. However, we still have not changed security awareness to a level where it becomes a positive cultural component, and we are still often clinging to our scare mongering roots.
Education is the Key
All those working in the information security field know the difficulty in selling security without also selling fear and this is probably the key to security awareness. We need to encourage good practice rather than just concentrating on the bad things and their consequences. It is frequently quoted and always true that people are our biggest asset and our weakest link, so why not educate this asset to do our job for us. I have on a number of occasions met security professionals who simply do not believe that security awareness can work but I have witnessed it first-hand in some levels of Government and Defence where security is such an integral part of the culture that it is highly transparent… Click HERE to find out more about this article