St. Patrick's day light show

I've said quite a lot about our monthly cycle. We find a month long enough to explore an information risk and security topic in some depth, and yet short enough to avoid terminal boredom for us and our clients' awareness audiences.

There are two longer cycles too.  A few topics get brought up every year because strong security awareness is such an important and valuable control in the obvious areas such as:

• Malware
• Social engineering 
• Physical security

Other awareness topics are dusted off and refreshed every so often too - things such as:

• Securing portable IT devices
• Cryptography including authentication and access control
• Privacy
• Fraud
• Patching, version control, change management and so on. 

Although it's not as critical for everyone to know all about them, a general appreciation is beneficial so these get updated every few years.

As well as covering specific topics, there are more fundamental themes such as:

• Information risk and security (of course!)
• Governance
• Compliance
• Control
• Responsibility and accountability
• Management, oversight, monitoring and directing information risk and security
• Business
• Technology
• Information

Occasionally we highlight and explore those individual themes in isolation, although normally they are just an integral part of the monthly modules. Like threads woven through all the materials, the themes link successive modules together into a coherent mesh, a fabric strip rather than a random assortment of fragments. They help us 'tell the story' of information security.

The long-term thematic approach is a convenient way to handle the inevitable tangents and asides, plus cross-over between many topics. "Phishing", for instance, involves social engineering, technology, authentication, malware, Internet security, fraud and more. In an awareness piece on phishing, we don't necessarily need to go into depth on those other aspects since they have been and will again be covered, at other times. It's OK to bring them up briefly and move on. In the same way later on, a briefing or seminar about, say, social engineering might casually mention phishing without having to stop and explain it.

I'll end today by mentioning that not everything we do is cyclical or repetitive. Part of the fun in this game involves spotting and responding to changes - new threats, new modes of attack, new incidents, new challenges, new wrinkles, new tricks ... which finally brings me back on track to talk about April's awareness topic, security innovation. Must press on: awareness stuff to prepare before digging out a green teeshirt and the obligatory pint of Guinness.

May all your information risks be in the green today.  Slainte!