I’ve met a great many IT security folk over the last few years, and I think that there are two very broad categories:
1. IT security professionals that understand they are marketers
2. IT Security Professionals
When we try to persuade employees to take notice of our messages, our policies and our work, then it is a sales scenario. We need them to WANT to. It reminds me of a great conversation between Vince Vaughan and Jennifer Anniston in the chick flick “The Breakup”.
Pushed to the breaking-point after their latest, "why can't you do this one little thing for me?" argument, art dealer Brooke calls it quits with her boyfriend, Gary, who hosts bus tours in Chicago.
The point is, employees just do not care about the implications of poor IT security behaviour. The care about their bonus. The care about going home. Home – to have fun, and eat nice food, and see their loved ones. That’s what they care about.
So why do we think for one second that they’ll give a rats ass about our carefully planned IT security policies???
No. We have to SELL it to them. It’s marketing baby!
Ahhh (I hear you say) but marketing works for desirable things. Things people want – even if they do not need them.
It used to be that History was reserved for the bookworms and geeks in the class – but Horrible Histories changed all that. Spawning a generation of young historians they applied contemporary comedy to the stories, performed them with commitment and boom – a sale was made.
It can be done. People want to have fun. Trade that for their attention.
It works everywhere else, why not information security?