Creating A Culture of Security

| ̄ ̄ ̄ ̄ ̄  |
| Security      |
|   is  a           |
|  mindset      |
| _____ |
(\__/) ||
(•ㅅ•) ||
/   づ

Call it wishful thinking, but this may be one of the most oft-used phrased in Information Security. And the truth is, if we really want to make security happen, meaningful and life-changing security, it ain’t gonna happen without a whole lotta change.

Security isn’t something we can just plug and play. It’s actually a journey, and one that requires our long-term commitment.  We won’t like what we have to do to get there.  There will be costs, setbacks, inconveniences. And it won’t happen fast. But that’s been part of our undoing: immediate gratification, taking the easy way out. That’s not how you do anything well. And that is just not how you do “secure”.

A friend of mine, Jessy Irwin, shares her passion and recommendations for great OPSEC and EDSEC on Twitter, often via her very popular Sign Bunnies. Tonite, she delivered a fabulous impromptu seminar that I’d like to share. Along with help from the Sign Bunnies.



And that’s it right there. Security is a mindset.

For many security professionals, awareness is a waste of time because the “analytics suck.” But education isn’t a one-size-fits-all thing.


We keep trying to use code in places where technology can’t fix the real problem. It will take diverse set of tactics to build a mindset.

| ̄ ̄ ̄ ̄ ̄  |
| Technology |
| can’t fix       |
|   security     |
|  education   |
| _____ |
(\__/) ||
(•ㅅ•) ||
/   づ

Technology can’t fix security education— at best, it’s a content distribution mechanism. And the work ahead of us isn’t work that scales


If we really want to save/fix/protect/ keep the web, it’s time to get personal. To do the hard work. To teach. And not leave people behind.

| ̄ ̄ ̄ ̄ ̄ |
|  Leave        |
|   no one      |
|  behind       |
| _____|
(\__/) ||
(•ㅅ•) ||
/   づ

What is the point of everything we do if we aren’t finding ways to turn our users into one of our strongest defense tools we have?


What’s the point of all of this, really? What are we even protecting if we’re going to blame people for not knowing things?

Right now, individuals think security is hard and it takes a huge investment in time to get right. SO not true. Let’s fix this perception


We should /ALL/ be doing this. Our work is at the core of everything, this would help fix the infosec image problem.

| ̄ ̄ ̄ ̄ ̄ ̄|
| We should    |
| all be doing   |
|  this!!            |
| ______|
(\__/) ||
(•ㅅ•) ||
/   づ

The whole point of security is that we get to solve big problems to support and empower innovation. We get to make awesome things happen.

And that’s what we do in InfoSec. Our work is about making a real difference in what we use everyday.  My thanks to Jesse, the Sign Bunnies, and to all the incredible people who endeavour not just to secure but to educate. Security isn’t something that should exist beyond the reach of those who aren’t technically proficient. It’s something all of us have a stake in, so each of us, whatever skills we hold, has a contribution to make. Habits can change. Mindsets will develop. And it will be in that accumulation of efforts that the tide will turn, and we can address the problem at a much higher level. That’s where real change will happen.

Thanks for reading and remember – you own your own security.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s