28 days of awareness: day 1

Mornin' all.  I've decided to take you behind the scenes here at IsecT HQ to reveal what's involved in preparing the next month's awareness materials.  So, throughout February I'll be blogging every day about what we're up to.  If you are responsible for security awareness, or running a small business, you might like to play along, or chip in with tips and ideas.  How do you do it? 

OK, here goes, day 1, February 1st. This blog piece will be longer than most as I provide some context.

There's always admin to do after an awareness module is completed and delivered - checking the websites, tidying up the server (and our desks!), making sure customers have got the materials, taking offline backups, setting up a directory structure for the next module, claiming expenses, that sort of thing. We usually try to give ourselves a bit of a break after the intensity of the previous month's slog, although not this time: too much else on the go! 

I am preparing for a short assignment in Melbourne, leading a one-day security metrics workshop. For a few weeks I've been liaising with the client contact to make sure we are aligned on expectations for the day, and well prepared to get the most out of the day. We have now agreed the agenda and I've sent some "pre-work" for attendees to do - mostly to 'warm their brains up' so we can dive right in to the work. Throughout January, in parallel with the work on the awareness module on 'surveillance' just delivered, I have been developing a set of example metrics aligned with ISO/IEC 27001 to supplement the so-so examples in the new version of ISO/IEC 27004.  I'd like to take a draft of the metrics paper with me to Melbo to stimulate the creative process, including example metrics in the specific areas that the client needs most. I'm spending roughly an hour or two on that every day and have more to do before my trip.

Our next awareness topic is malware. It's a crucial part of information security, and clearly a core topic for security awareness which means we cover it every year. We therefore have a tidy stack of malware awareness materials going back more than a decade which sounds like a good place to start this month's module, except that things have changed. The mix and design of awareness materials we are delivering each month is constantly evolving, and the malware risks themselves are moving on, so in practice those old materials are of limited value in preparing new modules. Still, I need to look through the old stuff for items or ideas that we can re-use, and think about new angles that will make the topic engaging and relevant this time around.

So, what's going on in malware? Perhaps the most enjoyable part of my job is keeping abreast of developments in information security to spot and understand emerging trends. In practice, that's a lot of Googling, tracking blogs such as Brian Krebs' and browsing magazine-style sites such as The Register, and plugging-in to my social network. I'm working, honest! Two obvious themes in malware are phishing and ransomware: we've covered those before (more than once!) so there are awareness materials in our back catalog that we might be able to revise and re-issue for March. The challenge, though, is to make the awareness module 'different' and hence more interesting every time. Right now, I'm thinking about new angles, new challenges, new threats, new vulnerabilities, new impacts. What will be our malawareness theme or themes this time around? Hmmm, I have a few vague ideas in mind but need more time and more research to crystallize my thoughts into specific objectives.

Another task at the start of every month is to think up designs for 6 new awareness posters for our graphics team. It's good to draw on the specific themes as well as the general topics, so we're a bit stuck until those thoughts crystallize. In practice, the thematic and visual creativity go hand-in-hand. Basically we need to clear our heads of the last topic and daydream around the next. It's harder than it looks!