Why are info security professionals so bad at getting the message across?

Yes that seems like a generalization, but it is partly based on my own experiences. We seem to be great at talking to each other about what the message is, but if we’re talking to another “non-info security” professional, we can’t explain things in ways that work.

I was at a company event yesterday where a group of us were getting awarded for critically updates to the company’s policies. Really it just means we were given awards for  a very short deadline to do technical and editorial reviews and edits of the new policy manual.

Before the presentation, I was talking to other people I had worked with about a different policy issue. I was pushing my side, they were pushing their side. The problem was, they were not given all the information they needed. The person he gave them the information assumed they understood what we wanted on our side. Once I explained in more detail, they started backing our play.

This reminds me of what I saw in October for CyberSecurity Awareness month. I know some in our industry joke about it, but really we’re not getting the message out right, so we need a specialized month to make people aware of it.

I think the best message I saw go out in September was:

dontclick

 

 

 

 

Which is really a simple message. Yes most of us know that already, but it does 2 things. 1) It reminds people not to click stuff at random, and 2) it does it without belittling them.

Yes we seem to feel like we’re screaming at the moon sometimes, but that’s because we keep giving the same message over and over, to different people. Sometimes we have to give it to the same person multiple times, but that is where the reminders come in.

What we should be doing is getting the message out every day, in fun and exciting ways. Think of delivering the message, like the O’Reily Head First books. We know to tell our brains to remember the stuff, but it doesn’t because it’s not a tiger. If we do it right, without belittling, or screaming, maybe we won’t need a “Cyber Security Awareness Month” and we can get back to paying attention to the important things in October, like the start of the Hockey Season.

Leave a Reply

Your email address will not be published. Required fields are marked *