Nice observations from the tripwire blog. You can have the most comprehensive security programme in the world but unless everyone understands their role it is bound to fail. One thing I’ve learned from other, not security, corporate transformation projects is that not everyone will “get it”, no matter how simple and exciting you make the messaging. One thing that seems to have a major effect: find and nurture security champions in your organisation so that you have a willing cohort who can communicate with their peers. In one of my previous lives I was a ‘Brand ambassador” for a business re-branding project. I enjoyed the role, even though it paid nothing…:
[…] Notice a gap in security but feel unsure if it’s mitigated through internal controls? Take an IS team member out for coffee and have a chat about it.
I have worked in this industry for over 10 years now. Not once have I gone for coffee to discuss cyber findings and not enjoyed it. Never have I been embarrassed by users asking for advice or requesting further details on processes.
The fact that they’re showing interest and wanting to be a part of the solution means my job is making a difference. Awareness training, transparent processes and collaboration is how we make our environments more secure.