I have been to over 10 events this year alone – from Infosec, to smaller regional meetings of other information security related professional “bodies”. The names might change (although there’s the inevitable overlap of familiar faces) but the one issue that comes up again and again, in presentations, in conversations and online, is the PEOPLE issue. It’s always a top bullet point no matter how lofty or technically explicit the presentation might be. People are the way in, the weakness, the unreliable, unpredictable factor that renders the most sophisticated technical protection useless.
And yet – the recent SC awards haven’t even got a category that comes close to serving this burgeoning sub-industry. It defies logic.
The investment in experts in behavioural change (for which I shall use the euphemism “Marketers”, for that is what they are) is a tiny fraction of the total expenditure on security measures. It’s the fat ginger kid in a schoolyard of alpha males. There’s training – but this is simply a repackaging of facts designed to tick a compliance box, as we all know. Even those who claim to “engage” users are often just bolting on cartoons to an otherwise patronising or overly simple message.
To get true engagement, take note of at what people like to do / watch / eat / experience and just do that. Ask yourself, “what would get my attention? What would make ME see sense?”
Until the institutions take awareness as seriously as they take Data Loss Prevention Solutions (or whatever), we will always be standing at the peripheral of the cool kids group. Because we don’t have a box, or a policy, or any “software as a service”. We just have personality, and communications skills. Something that will engage those who are creating the weaknesses.
Next time you notice this kind of absence (in the trade press, or the awards circuit) – ask why.
It just might start a change.