A few days ago, I was privy to the first quarterly Security Awareness Newsletter distributed by a large corporate organisation for the digestion of a globally dispersed workforce. By all accounts the content had been decided, written and designed by their Information Security Group, with reviews and editing by their US-based legal department - a process that apparently took 6 months to complete - before the edition went out by email...Now, I don't know about you but I reckon the average Information Security professional knows as much about marketing, design, and effective communications as a coffee table knows about the origins of life, the universe and everything. I also reckon that in a multiple choice exam on the subject of global marketing, the answer "d) distribute all content in English-American after being reviewed and amended for audience acceptability by an American lawyer" probably doesn't score you maximum points. You end up with content so dry and devoid of life that it might have fallen from the moon.
The main problem I see is that said newsletter doesn't appear to have a purpose other than to tick a box which says "security awareness campaign." If that's the only goal then consider the box ticked but I doubt it's of much use.
Comments (1)
Dead right Stuart.
Still, they score higher than those who think a compulsory once-a-year whole company "security training" session counts as a security awareness program.
And they in turn score higher than those who have done the "security training" thing once in living memory but daren't repeat it because it was a total flop, resented by all concerned.
And finally, there are MANY organizations at the bottom of the pile who have made no attempt whatsoever to "do" security awareness. They clearly don't get it.
My personal cringer is to see corny or daft cartoons in posters, Learning Management Systems and other security awareness materials, as if the audience consists of pre-pubescent teens. Humour is fine, no problem there, but the presentation is totally unsuitable for grown-ups in a professional work setting.
Adult education is really not that hard ... for educators. It evidently IS that hard for many infosec pros.
Interesting that you mention "marketing". Marketing information security as something the business actually values and needs is an excellent perspective, and suggests the use of advertising techniques, like for example coordinated print, TV and radio adverts (true multimedia!), all based on a consistent and distinctive theme and clearly associated with the "brand". Take the next step by identifying separate target audiences, and finally make the approach topical and engaging, and suddenly the light goes on.
Like I said, easy if you know what you're doing.
Rgds,
Gary
Posted by Gary Hinson | November 13, 2008 5:20 AM
Posted on November 13, 2008 05:20