Just last week, a friend pointed out to me that only drugs and information technology (IT) have “users.” A week before that, a colleague was explaining his challenge of creating a security awareness program in a firm that “operated less like a business and more like a law firm.” Specifically, the big-dollar revenue producers in […]
Author Archive | Michael Santarcangelo
The moment we judge someone, we forfeit the ability to help. Seems like a lot of what is being promulgated in so-called “security awareness” today is nothing short of berating people with a never-ending list of things not to do, coupled with a shorter, non-intuitive list of what to do. When these lists predictably fail to […]
The first step toward building a successful security awareness program is to understand the concept of awareness, how to define security awareness, and how that impacts the business in a way that makes sense to support.
A few years ago during a workshop, an exercise turned into a lesson learned for me. This column shares the story, the lesson learned and some tips on how you can improve your definition of security to ensure success. Related to this challenge is a google+ thread I started. Before reading it, take a few […]
Bust the myth that communication is a “soft skill” that cannot be measured; learn 3 key ways to measure and improve the ability to effectively communicate value.
Essential in life, and equally so in security, communication – especially the ability to effectively communicate value (ECV) – is necessary to inform the process of decision-making. Without a clear understanding of risk and potential actions, people (executives and individual employees) may make decisions based on unrealistic assumptions or a poor understanding of the solution. It’s […]
Effectively communicating the value of security must content with the realization that value varies based on the audience, and the terms selected often have multiple meanings. Success requires the ability to understand and consistently convey key points and outcomes while adapting each message to the audience with the appropriate examples and logic, in a design suited to the outcomes.
Over the last few years, we have been presented a series of reports, complete with statistics, suggesting the cause of breaches is people. Whether external attackers taking advantage of people, insider mistakes or even insider espionage, the overly simple and false conclusion seems to be that people are the problem. Well, they aren’t. Except, of […]