Socializing information security

In researching and preparing October's security awareness module, we've wandered away from the well-beaten-track into what is, for us at least, previously uncharted territory. You could say we're going off-piste.

Our topic concerns the human aspects of information security - a core area for any decent security awareness program and one that we bring up frequently, including a dedicated awareness module refreshed annually. We've always deliberately taken a broad perspective, exploring social engineering, social media, social networking and so on. 

This year, along with the conventional awareness stuff on phishing (of course) plus other scams, cons and frauds, we'll be lifting the covers on how the criminal black hats and other adversaries exploit both their own and our social networks. 

That train of thought leads naturally in to counteracting the power of criminal organizations through leveraging various white hat equivalents, both within our organizations (e.g. the idea of proactively recruiting everyone to the information security team, through creative security awareness outreach - an approach we call 'socializing information security') and without (e.g. leveraging professional membership bodies such as ISSA and ISACA, plus local peer groups, plus industry special interest groups, plus all manner of online communities ... and blogs not unlike this one).  

I hope you're making good use of myriad opportunities to share information, discuss things and learn new stuff from others in this field. Living in rural New Zealand - almost literally in a field, surrounded by far more sheep than people - I'd be lost without access to the global infosec communities into which I plug myself on a daily basis. 

The thing is,
information security without information isn't security.