Many security professionals face the same challenge – improve security and reduce risk with a fixed or reduced budget. There is a lot of information on the internet about using Open Source software to build systems that can help you reduce risk.
But I propose that we, as security professionals, must be teachers as well as technicians. Yes, we can do the work. But how much better would it be if the entire IT department or even the entire organization understood basic security principles and could apply them in their day to day activities? It’s like the old adage. You can give a man a fish and feed him for a day or you can teach a man to fish and feed him for a lifetime. Let’s teach people to be secure so they can apply security principles at work and in their day-to-day lives.
This article’s focus will be slightly different than a formalized Security Awareness Program (see Securing the Human for details on that). Instead, we will look at ways any security professional can more effectively communicate with others so that security concepts become a more prominent topic in people’s day to day life.
I’m sure all of us know about an “angry security guy”. Maybe we are that guy. But the first step to effectively communicating security concepts to others is to be approachable. Staff need to feel free to come to us with questions and concerns. In particular, they need to feel free to bring any possible risks to us.(more…)