* * *
1) K, how did you end up running the world's most innovative security-awareness company?
Years ago, I was about to choose between an offer to work as a security analyst at a consulting firm and starting my own company. I prepared a spreadsheet listing the pros and cons, and made my decision – to accept the job offer. I shared the decision with a friend who was so surprised that he demanded the spreadsheet. I e-mailed it and he called back a few minutes later. "The data," he told me, "don't support your decision. You're acting out of fear." There's nothing like an honest friend to point out when you're being a coward. So, I followed the data and found that the recipe for effective information security is the same as what it took for Dorothy and her friends to get home from the Land of Oz: a heart, a brain, and a little courage.
2) You have an immense stock of original, creative, and amusing posters. Tell us about the artists you have worked and are working with and how you have communicated the ideas that they so brilliantly represent in their drawings.
Our poster artwork is original and created by outstandingly talented people. Our artists have faced difficult situations in life gracefully. Half are adoptees who have come out of the foster care system. They are keenly perceptive and have a great sense of humor – which I suspect is important to surviving challenges well. Humor is an effective way to get attention, and we have to get someone's attention before we can improve their awareness.
Charles A. Filius is an extraordinary talent; I wrote in our description that "Chaz has been able to do whatever we've asked, except strike a match on a bar of soap…."
Our photographers are willing to go the extra mile – in some cases straight up. An intrepid explorer, adventurer, and chef, Jon Marsh, took the photos of the mountain climbers in poster 127 and 114. What's spectacular about those images is that to get them, he had to climb those ice cliffs as well, and do so carrying a camera.
3) What are some of your favorite posters? What brings them to mind first as you answer that question?
I like posters that have a single concept, bright colors, and that use humor or something unexpected to get attention. See the catalog for pop-ups that show these posters. Of the most recently posted ones, I like 246, "Don't Hoard Friends" because it's a bit unexpected – after all, it's good to have many friends, isn't it?
My favorite watercolor art posters are 211 "Wizard of Oz" because it makes me smile and 237, which asks a vital question. We don't always recognize that data can be worth exponentially more than hardware.
Favorite funny cartoon classics include 136 "There's always free cheese in a mousetrap," 171 "Santa's naughty list," and 164 "Fairy tales" because it reminds us that identity theft is not new – it happened to Red Riding Hood's grandmother.
Among the photographic posters, I'm especially fond of 107, "Did I log off?" and 144, part of the choose-your-risks series because it emphasizes that some risks are choices – and we can reduce the risk with simple actions.
4) Going beyond the artwork, what are some of the other aspects of your work that you find most interesting?
Storytelling is part of my culture, and I put a lot of energy into the one or two presentations that I do each year. I get a lot out of them as well.
Working with other awareness professionals is rewarding. I enjoyed facilitating a security awareness peer group that met in different areas of the country and was attended by some amazingly brilliant and creative people. Recently, I've worked on some text books and have helped to write two books on digital forensics.
5) I've always enjoyed your chapter on security awareness programs in the Computer Security Handbook, Fifth Edition. As we move towards the Sixth Edition, what will you be adding to the chapter or revising?
The chapter will have a greater emphasis on the importance of storytelling in organizations to improve awareness efforts, including criteria for effective security awareness stories. It will also include new information on brain-based awareness and how to engage multiple areas of the brain to deepen the impact of awareness materials. Other topics will be uses of social media for awareness and the idea of using a perpetual awareness calendar and communications plan to keep an awareness program on track continuously. Also, the chapter will address how using a reporting system similar to the one used in the general aviation industry to allow pilots to self-report errors within 24 hours without incurring penalties can improve security.
6) How do you see security awareness evolving?
Role-based awareness will increase with messages targeted and tuned for specific high-target groups such as administrative assistants, help desk personnel, executives, telecommuters, and mobile device users. Online courses will be shorter and use more video content and fresh, short bits of awareness materials will be presented more often. There will be a greater emphasis on competitions for improving security awareness such as the one the U.S. Department of Homeland Security held in 2010. Techniques borrowed from the advertising industry will be used with focus groups to test and fine-tune messages for specific audiences. The use of checklists will increase.
Data mining and tweet monitoring will likely be used to gauge the state of awareness among groups and individuals. Topics such as malware from browsing, location awareness, social media risks, litigation hold awareness, cloud-security awareness will be needed to address a likely increase in security and privacy regulations and reporting requirements. These developments could result in increased awareness of individual accountability and people becoming less tolerant of or sympathetic toward careless actions of coworkers.
* * *
K Rudolph, CISSP is a widely recognized expert on security awareness. In March 2006, K was honored by the Federal Information Systems Security Educators' Association (FISSEA) as the Security Educator of the Year. Her entries in the annual FISSEA contests for best security awareness motivational item have won in 2005, 2006, and 2007. Also, in 2007, Native Intelligence's OnGuard newsletter won the best security awareness newsletter contest. K has also won awards for her photography.
Please support Norwich University ROTC student Zach Wetzel's fund-raising run for the Semper Fi Injured Marines Fund.
Last year, thanks in part to our joint efforts, he and his fellow students raised $9,000 for the fund!