Osmotic security

Remarks towards the end of a blog piece by Andy Ellis reminded me about a key difference between awareness and training.  He and I may be concerned with information security awareness specifically but the principle is not limited to a single topic.  Safety awareness is not the same as safety training.  Being commercially aware is different to undergoing commercial training courses.  You get the point.

Andy said:

"But much more importantly, we weave security awareness into a lot of activities. Listen to our quarterly investor calls, and you'll hear our executives mention the importance of security. Employees go to our all-hands meetings, and hear those same executives talk about security. The four adjectives we've often used to describe the company are "fast, reliable, scalable, and secure". Social engineering attempts get broadcast to a mailing list (very entertaining reading for everyone answering a published telephone number). And that doesn't count all of the organizations that interact with security as part of their routine.  And that's really what security awareness is about: are your employees thinking about security when it's actually relevant? If they are, you've succeeded. If they aren't, no amount of self-enclosed "awareness training" is going to fix it. Except, of course, to let you check the box for your auditors."

Though not using the actual term, he's talking about achieving a widespread culture of security throughout the organization, and in fact in a still wider sphere taking in its customers, business contacts and even dare I say its auditors.  You can't put all those people through security training as such, but you can create a level of awareness.  As he puts it, 'weaving security in to routine activities' is one way to make it an inherent part of the organization's fabric.  Here's a few more suggestions:

• Informing and motivating managers, and indeed other influential/powerful people (like auditors) to pay attention to information security matters, and pass on their concern to staff ('walking the talk' and 'leading by example' actually work!);
• Encouraging IT professionals to support the cause of information security when interacting with IT systems and, yes, even with real living, breathing people;
• Using marketing, advertizing and promotional techniques to create a security brand, ideally forming an integral part of the organization's overall branding, positioning and corporate image;
• Using creative awareness materials on interesting information security topics for a vibrant and memorable campaign;
• Making the campaign an ongoing, continuous, year-round program of awareness activities, helping to embed and reinforce the cultural change as a permanent fixture, not a one-off event just to satisfy compliance obligations.

Summing that all up is the concept of osmosis, essentially steeping the entire organization gently in a warm bath of information security so that everyone gradually absorbs the messages.  Slowly, behaviors change to follow changing attitudes, and before you know it, you have a security culture.