Cyber Security
The cult of the aware By Steve Simpson
36 | Australian Security Magazine
I
s there anything that is treated more apathetically in corporate education processes than finding out that you have to do the Security Awareness module? Having been an information security professional for many years now, I still get a sinking feeling when I receive that message telling me click on the link to undergo the awareness training. Even my passion for this topic does not help me look forward to this event. I recall one time where I was reduced to taking a series of screen shots for every page displayed so that I could just go to the quiz at the end and then review the screenshots of the scenarios to answer the questions. There is no way that I am the only person to have come up with this solution, which does nothing for me (or other users), nothing for the company and causes no improvement in the awareness of security aspects. For me the lack of enthusiasm could be just because it’s a basic part of a topic that I know and love so well, but that does not help to account for why it is such a common reaction and I believe it may be the way that such learning modules are presented to us that results in such an unhelpful attitude. As a security professional, I find that I am quite jealous of the way that Work, Health and Safety (WHS) has become
such an accepted and noted part of corporate education. WHS has actually become an integral component of corporate culture, everyone seems to know their role as part of the big health and safety picture. In the resources industry this is taken to the extreme, where some company’s even forbid staff (and contractors!) to cross the road except at a designated crossing, but I see more realistic evidence in most organisations whatever their industry vertical. Why is it that information security is not currently seen to be an equally integral part of corporate culture? Surely this is the Nirvana of all security professionals, to have information security become an integral part of the culture of a business. I suspect that at least part of the reason for failure to date is in the history of our profession. For many years security was about blocking bad things and sometimes the link to bad things was a pretty tenuous thing. Reporting always had a negative overview and rarely included detail of how threats would impact the business as a whole. The security manager made the decision to say no to certain practices and everyone else had to go along with that. Luckily, this attitude in security professionals is greatly reduced these days. The vast majority of us have a greater understanding of our role these days