Information Security Awareness Forum

I've finally found some time this Sunday afternoon to take a look at what's been going on in the UK with the new Information Security Awareness Forum (ISAF). While my passion for security awareness is undented, it's hard to support the ISAF as currently constituted.

My first thought was to browse their website ... except that today it is unavailable.  Perhaps not the best advertisement for a security awareness initiative!

Luckily the ISAF launch at InfoSecurity last month was recorded and the presentations are still online.

According to David King, Chairman of the ISAF, the ISAF is focused on raising security awareness in the UK by coordinating existing security awareness activities. He told us, more than once, that 'not reinventing the wheel' is a key ISAF goal but curiously enough, the ISAF is essentially UK-only, so presumably he thinks nobody else in the world faces the same challenges. Further he implied that the ISAF will not create anything new, presumably just repackaging materials "donated" by their sponsors. He was also decidedly ambiguous about the ISAF's target audiences: is it large (British) businesses, (British) SMEs, (Her Majesty's) government and the public sector, the general (British) public, all of the above, or something else? Being delivery focused with minimal red tape, relying on trust and mutual support by ISAF "members" [sponsors] is a laudable goal, but is this realistic?

On the whole, speakers from the organizations sponsoring ISAF seemed to agree that security awareness is important although paradoxically Louis Gamon from ISSA pointed out the common perception that security awareness doesn't work (Louis: awareness done badly is more or less bound to fail but that doesn't mean it is worthless, just that it needs to be done better. Please don't throw out the baby with the bathwater).

The sponsors evidently have different perspectives and objectives for ISAF but there was general consensus on the threats (primarily phrased in terms of Internet security threats such as phishing, "organized crime" and so forth - the sort of stuff that ISO/IEC 27032 will tackle) and the need to 'educate the general public' (and perhaps SMEs) about information security appears to be a common goal. A few ideas were presented on how to do this but apart from the presentation by ISC2's John Colley, most of the discussion emphasized how difficult this is to achieve in practice. The idea of 'Making security interesting and relevant for everyone' was widely supported but again there was little in the way of pragmatic advice on how to actually achieve that.

The presentation by Tony Neate, MD of GetSafeOnline, included recent statistics from a UK survey on perceived Internet security threats and incidents. He pointed out that the general public tend to deny responsibility for their online security. Naturally, he promoted GetSafeOnline, demonstrating a clear bias towards Internet security.

Martin Smith of The Security Company, ostensibly representing the "Security Awareness Special Interest Group" (a closed user group sponsored and controlled by ... you guessed it ... The Security Company), made a convincing case for the value of security awareness in a commercial organization, but segued directly into a full-on sales pitch for The Security Company's products. I'm more than happy to declare my own prejudice here: Martin and I are commercial competitors. However, I fear Martin has undermined not just his own company but the 'security awareness industry' (such as it is!) by letting his commercial interests overshadow the ISAF's laudable aims. I've already heard others complaining at the commercial edge to ISAF. It's sad to say but unfortunately I suspect continued involvement of The Security Company in ISAF may seal its eventual fate.

Likewise, Kevin Bocek from PGP evidently saw the ISAF presentation as an opportunity for a straight sales pitch. In Kevin's little world, it seems data encryption technology (or rather PGP's version of it), not awareness, is The Answer To Everything. All very odd since PGP is supposedly supporting the ISAF. The only mentions of awareness I spotted in his presentation were around awareness of (PGP) encryption. [Wake up Kevin, there's a whole world out there!]

According to speakers from ISACA and the CMA, IT governance (not awareness) is The Answer. Once again, why they are even involved in the ISAF is something of a conundrum.

Mark Chaplin from the Information Security Forum initially focused on Generation Y - people born after the 1980s according to Mark - and their easy familiarity with complex technologies that their parents probably do not comprehend. The presentation diverted briefly into road safety awareness by Australian kangaroos (I kid you not) before meandering back to core issues such as changing behaviours (not just making people aware) and achieving cultural change. These are important concepts, albeit buried so deep in the ISAF launch ceremony that a large part of the audience was probably semi-comatose at that point.

So, the bottom line is a rather disappointing launch and uncertain future for the ISAF. As a security awareness professional, I'm very reluctant to knock any security awareness initiative but, frankly, this was a poor show. With too many competing agendas, it's hard to see any unifying theme or predict any genuinely useful output from this initiative. If the ISAF does get it together, fabulous. If not, well I guess there's nothing lost ... except a golden opportunity.