Recently while attending RSAC in San Francisco an old fire truck was out for community education close to the financial district. As a kid fire trucks were always fascinating and the men and women brave enough to be a first responder were truly heroes to me. As a kid my father worked for the local police precinct and my uncle was Chief of Police. Being behind the scene at such a young age was an eye opening experience to say the least.
Now this fire truck was definitely before my childhood but the nostalgia of it all hit home. Since this was RSAC week it was a good time to stop and reflect.
If you never been to RSAC there are around 50,000 attendees and 1,000’s of vendors. AI, Machine Learning, ZeroTrust, NGFW, SIEM, etc. dominate the headlines. But its important to remember that security also encompasses physical security. Now this fire truck doesn’t remind me of a blazing fire that the fire department is rushing to extinguish. Rather it reminds me of touring the fire station, listening / watching how to stop drop and roll, how to stay away from gas lines, and other emergency procedures. In other words security awareness.
So where do we start in security awareness? First and foremost: people! The most important thing we can do is avoid injuries and loss of life. That’s why we have drills for tornadoes, fires, earthquakes, etc. These drills must accompany policies and procedures that everyone needs to be aware of from first responders to every employee.
Security awareness is just so important. From protecting the most valuable asset of any organization (it’s people) to keeping its data safe and secure; awareness can be the difference maker. At RSAC there were talk tracks such as “Let’s Blow Up Security Awareness and Start Over”, “Gamifying Security Awareness”, “Security Awareness: We’re Doing it all Wrong! And let’s fix it!”.
It’s fairly obvious that security awareness is broken and needs fixing. That’s why security awareness needs to be like that fire truck to a little kid. A reminder to practice good security hygiene. As security professionals we should focus on awareness in the same way a fire fighter would when talking with the community. This means it must be pertinent, informative, and executable.
Pertinent – Every security awareness program needs to be relevant so the organization and its people take it serious. As a kid seeing that fire truck was proof that you needed to pay attention. This means the organization needs to compartmentalize their awareness program to provide relevance. For example everyone can relate to fraud and how that can impact them personally. By relating this to attack surfaces such as “Social Engineering” helps provide relevance to the importance of the topic.
Informative – Once everyone understands why its pertinent (if the business lost this data it would go out of business) it must be informative. There are numerous examples on how to protect yourself and the organization. Awareness must be informative and cover the what (Please don’t click email links) and who (call 911) that is being asked of them.
Executable – Our policies and procedures must be executable (Stop Drop Roll). We must also practice executing our plans to ensure that everyone can execute in time of crisis. These practices should simulate real world and can be used in conjunction with other security practices (penetration testing).
Remember we all need a friendly reminder – a fire truck. And this means we must all do our part in helping our communities stay safe and that means digitally safe as well!