Is awareness really the goal?
Posted by Dennis Kuntz on February 13, 2009 · 2 Comments 
Print This Post
By Dennis Kuntz
When I was first asked to write a post on “Security Awareness”, I began really to think what is meant by “awareness”. The conclusion to which I came was a little frustrating: Too often folks think of awareness as an end in itself – as if making folks aware of something is the same as doing something about it.
Now, it may seem obvious that this is not the case, but how often have we – I include myself here – just lobbed something over the wall to make folks aware of an issue? Maybe it was new risk or vulnerability – whatever – and then we washed our hands of it as if we had done our job?
This is obviously not limited to Information Security or IT folks – no particular group has the market on this practice cornered. But that being said, awareness needs to be backed up by two primary things: education, and action.
Education
When you make someone aware of a situation, issue, or risk, how often do you take your audience into consideration? Tech guys and gals are infamous for using jargon in situations where it’s just not understood by others in the room – we’re right up there with doctors and lawyers! Now, that’s not a bad crowd to hang with (well, except for the lawyers), unless of course you want to be listened to, or even better, understood.
If Joe the BizDev Guy walks into a BlackHat conference, I have no sympathy for his confusion (let alone his compromised devices) and would consider him out of luck. However, if I’m in charge of protecting his data at our company, my job requires me to make sure that I communicate important matters to him in ways that allow him to make educated decisions. Plus it’s just the right thing to do.
Action
If I’ve made my data owners and/or boss(es) aware of some important issue, I’m not done with my job. I need to take the necessary actions to follow up on those issues right up to the degree of my authority. If I lack the necessary authority, and especially if the issue is important enough, then I need to take action to be in the faces of those who do have the authority until some resolution occurs.
There are of course times when we cannot get the resolution we want; Far too often I would say that this is the case. But we need to make sure that we’ve done everything we can to address the issues at hand instead of just being content with their “awareness”. Follow through in our jobs is vital – people can lose jobs, or even die without it.
Awareness is great, but not by itself. Combined with thoughtful, communicative education, and resolute action, they become a potent triumvirate.
Dennis Kuntz, CEH, has been in technology for 15 years in various roles. While starting life a programmer, more recently he has spent his time in managerial and technical roles dealing with architecture and security. These includes such responsibilities as web application penetration testing, making and assisting with strategic security decisions, and providing technological guidance, education, and prototyping/PoC projects for IT and business units. Currently he holds the title of Senior Director of Architecture and Security for Market America, in Greensboro, NC.
Well said, Dennis. I agree with your assertion that awareness is not an end in itself.
So, it seems to me that we’ve agreed on the “END” we seek, which is for people to start making good risk decisions. We also seem to agree that there is a gap in awareness which must first be closed. It’s understandable that it’s hard to look past the chasm to see the forest and mountains beyond it that will need to be navigated before we reach the final goal.
So, I think it’s good for us to be reminded, as you have done, that the chasm is only the first part of the journey.
What most of us seem to be struggling with is HOW to close the awareness gap, which implies that we need to understand WHY the gap exists, so we can go at the root cause. Michael’s approach is, in my mind ideal, because everyone’s situation is different. As we’re fond of saying, there is no Silver Bullet formula for a quick and effective indoctrination into the world of risk management that gets us over the chasm, and moving onward.
That takes dialogue about the organization’s objectives, the culture and the environment they must function in.
But I digress. For further digression, I wrote a related post this week on The Honey Stick Project blog in The Streetwise Security Zone (see link above). I think the bottom line for bridging the chasm is to understand the fundamental psychological problem between we, who can envision and articulate the risks, and those who have never had to think about the connection between their everyday experiences and the consequences of their risk decisions. These consequences, like the frog in the boiling water, are sneaking up on them, to the point where they need to have their expectations for outcomes based on old habits and social norms reset.
Pretty deep, eh?
I had actually read your post and I think it’s all a good illustration/analysis of the situation. I think it’s a combination of issues of communication, expectation, education, and sometimes a lack of plain old moxie to make it better that get in the way – from everyone involved. (Obviously not all situations – or people – are the same, of course).
In my next Security Catalyst post I plan on exploring one behavior I think folks in our “positions” (which will get defined in the post) really need to stay away from that not only furthers the gap, but increases the tension between those involved.
Thanks for the comments and thoughts – they are much appreciated!