Here it is, the last day of 2013. It has been a rough year for me, both personally and professionally. So for the first time in a long time, I’m very much looking forward to speeding off into the new year without even glancing in the rear-view at 2013.
And it is the time for those dreaded New Year’s resolutions – I’ll exercise more, eat less, and write more thank-you notes. Most of these resolutions don’t even last as long as the glitter found from those sparkly New Year’s hats will be found in your carpet.
This year, I’d like to suggest a different New Year’s resolution to my fellow information security industry professionals.
Let’s focus 2014 on security awareness.
To be clear, I’m not talking about the typical crap powerpoint presentation called “security awareness training” that employees are forced to sit through every year. Anything that is mandatory attendance is going to get the exact amount of attention paid to it which it deserves. You security professionals know what I’m talking about, too… How many of those CPE credits for your various certifications have you been forced to participate in? How many have you actually taken away valuable knowledge, insight, or awareness from? Be honest. I have heard from many of you that are glad you have two computers at your desk so that one can be droning away with a CPE briefing, while you can get real work done on the other one.
Every October we hear some noise about National Cyber Security Awareness Month. How many individuals come out of October with far better computing habits than they went in with? Contrived short-term sprints of awareness aren’t helpful. Force-feeding awareness isn’t helpful. The only thing that I’ve found to be helpful throughout my career is one simple thing:
We need to learn how to communicate better with those we are serving. Whether it is our employers, our customers, our friends, or our family, we need to communicate with people on their level. Calling people “lusers” or saying “PEBKAC” when someone clicks on a seemingly obvious piece of email spam doesn’t create awareness – it separates us from those that need our help the most.
Awareness is when individuals are aware of the decisions they are making, and the consequences of those decisions. Awareness creates two significant side benefits:
First, through awareness of the consequences of their decisions, they will often cease to be (as big of) a threat to the security of their information and the information of their organization.
Second, they become an ally in spreading awareness.
A few weeks ago I taught a short class about passwords to the staff of my church. The benefits were not just that the individuals at the church created better passwords, but those staff members have gone home and passed those same lessons on to their spouses and children.
Awareness is gained through communication. And awareness is communicable.
So take my advice – resolve to improve security awareness through an improvement in communication during 2014. Not just during October, but all year long. The benefits to improving communication will last for many years to come.