Do people care about information security?

I’ve been thinking about this question a lot recently, not least because it forms part of a presentation I am doing in the August. The reality as I see it is that for people who don’t work in information security, well, they just don’t seem to give a s**t about it. Is this surprising? Probably not – people have busy lives after all. I’ve seen first hand evidence though – family members, neighbours, friends – all doing stupid things, getting hacked, losing money, getting socially engineered. They seemed to shrug and not want to take action, like it was something they had no control over. Infuriating! :)

The infosec community, me included, spend so much time thinking about it at work and outside work (some would say even more so outside of work), spend time on twitter focusing on it (I get irritated if anything non-infosec comes up on twitter – sad I know) and reading blogs and articles etc. The rest of the population is decidedly non-plussed. I recently told somebody who works in marketing in my company what I did, she just laughed and said, “So something really interesting then” in a sneering sort of way. And I know what that meant. It meant she hadn’t spent 30 seconds in her life thinking about how to protect her information (perhaps company information as well as her personal information) and her identity.

So how can we change that? I mean we are supposed to be leading this area. How do we as infosec people change a society’s views? Of course it's ambitious! It would be boring if it wasn't.

I’m intrigued by the question though and intend to spend a lot of time investigating this. I recently set up ‘Information Security Awareness Ireland’ (admittedly it’s early days) specifically for this purpose. There are two broad focus areas in my view (and this view will no doubt mature).

Firstly we need to focus on what we have at least some some control over, namely our organisations and how to get people to pay attention there. That is about maturing the organizational culture regarding information security. On this I will be focusing my efforts in the coming months.

However, the second and more difficult area, is the general public. There are some great campaigns by various groups trying to get children to be safe online which is great but I am amazed at how little focus is put on the adults. Surely you can’t have one without the other. Educating the wider public will take a monumental effort over years to change thinking, just as the campaign to change the public’s attitude to seat belts (or smoking or exercise) took years. I believe that we as leaders in this field need to play a strong role and yes, that means taking a role outside of work. We just need to decide what these activities are and what to prioritise to facilitate change quickly.

Information Security Awareness Ireland

As I mentioned previously, I am trying to get involved in some new things that I have been thinking about for a while. I want to formally create ‘Information Security Awareness Ireland’. This is a subject that I am involved in at work but something I am genuinely interested in both from an organizational perspective and from the perspective of a private citizen. 

The big question the entity seeks to answer is

How the hell do you get people to care about information security?

This will be a completely voluntary, not-for profit organization.

While it is early days, I see the purpose of Information Security Awareness Ireland being the following;

• ·      To promote an understanding of information security to the general public in Ireland (It may be a stretch to get people actually interested but I would like them to be aware of the ideas and concepts).
•         To promote development of an improved information security culture within organisations, both private and public sector in Ireland.

Now there are some excellent organisations in Ireland already covering related areas, most notable CyberSafeIreland and ISC2. However, these groups are very focused on cyber security for children and, as such, have that area covered very well. My interest is broader than just educating children. Other groups such as ISACA Ireland and Irish Information Security Forum do cover this topic to some extent but their remit is so much wider, covering a wide range of information security topics. And obviously there are companies which cover this area and sell their expertise to their clients. However, I believe there is a gap in the landscape in Ireland for such a voluntary group to promote awareness of the topic.

This was very much inspired by Lance Spitzner and the SANS Securing the Human Program which I have blogged about previously. I have taken my own organization on a bit of a journey in recent years and have seen information security awareness and understanding taking a quantum leap. Of course the environment helped foster this but we developed a program to meet the requirement.

So, short term, I will

• ·      Set up a LinkedIn Group
• ·      Try to get a few people who are interested in being involved and have an initial kick-off meeting within the next month.
• ·      Set up a .ie website (in progress)

I am really keen to generate some interest in this. So if Security Awareness rocks your boat and if you are interested in being involved please drop me a note on LinkedIn or just respond with a comment below leaving your email address.

Conferences and New Directions

Last week I had a genuinely rare experience (for me). I went to a conference (ISACA’s2016 European conference – EuroCACS). I have been to many conferences in the last ten years, some way better than others. This one was right up there but not for the reason I usually would expect.

It started off, for me, quite negatively. The first day (of three), by about 3pm, I wanted to leave. Sometimes you just get unlucky with the sessions you chose when you go to these events and by that time I wanted to go back to work as I was so bored (and that’s saying something).

However, as soon as day two started and for the rest of the event I was genuinely captivated. There were some excellent speakers and content which was relevant to me from an information security perspective (albeit with a heavy dose of ‘audit slant’….but what should I expect at an ISACA conference?).

The difference this time however was that, for the first time ever, I think I consistently understood and appreciated the value of what the speakers were trying to get across. So much so I felt, and again this is rare for me at a conference, ‘motivated’.

But ‘motivated’ to do what? Actually, things which I would not normally want to do. I wanted to present (and I am getting a chance at the upcoming ISC2 conference in October); I wanted to engage with people (I am shockingly bad at networking at these events) and, most interestingly (again for me), I wanted to make a difference. Now this may not seem like a big deal to anybody else but it is a big deal for me.

While these thoughts were fresh in my mind, the closing Keynote address by Mark Stevenson was inspirational – this is not a feeling I get very often.

He spoke about many things but focused on his ‘League of Pragmatic Optimists’ 8 principles’. Some of these were completely obvious but nonetheless eye-opening for me. Sometimes in life you find yourself in a malaise. And when you are there, you can often do with a kick up the ass to think in a different way. Of course, and I suspect this may be the case, it could just be middle-age boredom which has just found something exciting to focus on.

It’s been a week since I was at this conference and the optimism that I felt has still not left me. I have actually done several things I was thinking about for ages – literally initiated some new directions for myself. Some of these were what I would say are 'out of character' - but that is what I am excited about. And as I think about them more I generate even more ideas. I love the idea of ‘generating serendipity’. I am simply tired of being passive. What’s the worst that can happen?