Slowly slowly catchee monkey

As the end of month deadline looms, we're close to finishing January's awareness module on IoT and BYOD security. 

Today I'm working on the awareness seminar slide deck and accompanying briefing paper for the audience group we call 'professionals', blue-collar workers essentially, specialists in IT, risk, security, audit, facilities, control, compliance etc.

We dig a bit deeper into topic for that audience, but not too deep. The overriding awareness objective is to inform, intrigue, motivate and set them talking to their colleagues (other professionals plus the general and management audiences) about and around the topic. Awareness is not training, although there is a grey area and the terms are often confused. 

Ultimately, we hope the pros will pass on some of their knowledge and enthusiasm for the topic to others, preferably with more than just a casual nod towards the information risk and security aspects. 

IoT and BYOD are obviously IT-related, so the pro materials are IT-centric this month. The awareness poster image above mentions "latest hi-tech goodies" specifically to catch the eyes of geeks and technophiles, people who just love hot new gadgets - reading about them, drooling over the adverts, sometimes buying and using/playing with them, showing them off to their less fortunate playmates ... and occasionally hacking them to figure out how they really work.

An article about hacking building management systems (things!) caught my beady eye today, for several reasons. It's right on-topic, for starters, exactly the kind of intriguing tech content that appeals to the pro audience we have in mind. The author's hacker mentality rings out. He has spent countless hours exploring their capabilities and vulnerabilities for more than a decade. To most of us, that's unnaturally obsessive behaviour but to him it's a hobby, a fascination or passion, fun even. I'm sure he'd do it even if he wasn't being paid to hack (he's a professional penetration tester by day).

I'd love to inspire such intense passion among our customers' employees on the defensive side ... but it's hard given that I'm not there in person and anyway security awareness has a broader and more realistic goal. Some workers may be fired-up by something I've written, although for many the most we can sensibly hope to achieve is to spark an interest. Getting the light to flicker on, occasionally, is the starting point. From there, we can work on making it flicker more often and glow more brightly, gradually changing attitudes, beliefs, behaviours and decisions ... but first we need to open eyes, ears and brains to the fundamentals. The pro audience helps us do that, at first hand.

"A culture of security takes time"
Dan Swanson