Photo Credit: t0msk via Compfight cc
Security awareness is pointless without speed cameras.
Too many CISOs ask me how they can improve security awareness in their organizations, and it’s disheartening to have to tell them that they are asking the wrong question. You see, this quest that security professionals have been on for many years to improve awareness amongst staff is moot because the vast majority of staff are aware that security is important. The problem is that behaviours have not changed – staff are still doing the same old foolish things, like swapping passwords and clicking on suspicious links.
Think about driving a car. The speed limits (aka. policies) are universally known (so awareness is 100%) and clearly marked on road signs and yet, as soon as we hit the open road, how many of us would decide to go a little over that limit? And how would that change if we were in a rush, or late for an appointment, or trying to appease a pleading passenger? We know the acceptable limits but the behaviour of the majority doesn’t reflect that awareness.
Now, if that same piece of open road has an obvious speed camera, or an average speed check over a large distance, then the behaviour of the majority is transformed. What makes this change? Consequences.
Staff adhere to policies when there are clear consequences associated with non-compliance, yet most firms barely monitor compliance and almost never follow up on transgressions. This lack of consequences creates and reinforces a negative culture, one where policies become meaningless guidelines and, in an environment where the business leader has much more direct influence, the efficiency of the business process becomes the singular goal.
So, stop thinking “security awareness” and start thinking “behavioural change”. Keep those speed limit signs visible, but supplement them with clearly marked ‘speed cameras’, like DLP or behavioural analytics, to start to change behaviour.