Changing the culture of an entire industry
Engendering a culture of security is something we normally talk about in relation to organizations and parts thereof (for example, changing the culture within management or within the IT department). I'm sure that most people who have actually tried to do this would agree that it's a tough challenge. It's not even entirely obvious how to define, let alone influence or change corporate cultures. It's one of those things that is easier to say than to do.
OK, now imagine your task is to engender a culture of security across a massive public body - like for example the UK's National Health Service. According to a piece in SC Magazine, the Information Commissioner is calling for changes in the NHS:
“The sector needs to bring about a culture change so that staff can give more consideration to how they store and disclose data. Complying with the law needn't be a day-to-day burden if effective measures are built in and then become second nature."
Actually, the quote is a bit ambiguous regarding the scope: is the Commissioner concerned with just the NHS or the sector - presumably the health sector in the UK? Either way, changing the culture is a massive undertaking.
He continues:
“My office is working with Connecting for Health to identify how we can support the health service to tackle these issues.”
I looked through the Connecting for Health website to see what they have to say about information security or privacy, and initially found nothing obvious until I came across the Information Governance section (hint: governance is not normally a synonym for security, but the NHS seems to be developing its own parallel language, for example referring to Serious Untoward Incidents, or SUIs, where plain old 'incidents' would normally suffice). There I discovered some red tape to request access to the NHS network, out-of-date and inaccurate information about the "ISO 27000 series of standards" (that's ISO/IEC 27000), a "detailed 17-page document explaining the background and development of both patient and clinician 'sealed envelopes' functionality" plus, of course, a PowerPoint presentation to explain the 17 pages (!), a vague introduction to information security and various other bits.
Overall, the website leaves a poor impression regarding information security. The information is disjointed, minimalist and full of jargon, so that's one area in which the Information Commissioner can usefully apply pressure supporting the cultural change he anticipates. A coherent, accessible, useful and engaging website would be a worthwhile vehicle for a security awareness program.