John Scott

Editor's Note:  Over the coming weeks we will post recaps of speakers' talks from the 3rd Annual Security Awareness Summit.  Today John Scott from Bank of England shares details from his talk and experiences from the summit. If you missed the summit, consider the European Security Awareness Summit 11 November in London.

Back in the dawn of time, I was a Webmaster, that’s the slightly vague title we used to use to describe the person (and at the time it was usually a single person, or at best a small team) who had complete responsibility for the company’s web presence. They were often a combination of graphic designers, HTML writers, JavaScript coders, journalists, statisticians, report writers, project managers, UNIX admins and editors. I enjoyed the varied skill set that the job needed; after all, as Heinlein the infamous science fiction author wrote specialisation is for insects.

But as the job got bigger and bigger, the roles started to specialise more, and now it’s very rare to see one role that covers all of the above in any company of any size. The webmaster "profession" fragmented before we could really define what a webmaster was beyond "you know it when you see it". Now, many years later, I’m an Awareness Professional. That’s the slightly vague title that we use to describe the person (and now it’s usually a single person, or at best a small team) who has complete responsibility for the company’s Security Awareness programme. That means I need to be a combination of . . .

Actually,  I’ve been here before.

The main difference between then and now is where the people in those two roles have come from. From going to conferences about web-mastery in the mid 90’s, my peers were often quite non-technical, geeky, but not coders. because from the word go we realised that the skillset for being a good webmaster drew equally from the creative, the technical and the managerial, or as some might have called them at the time, a ponytail, a propeller-head and a suit. But the 2016 SANS Security Awareness Survey showed that almost 80% of Awareness professionals come from a technical or security background, and that the thing they highlight as their biggest weakness is their lack of soft skills. And that worries me. Because I think we as Awareness professionals need to look to other professions far outside the IT and Security departments to make our messages land in front of the right people, at the right time, and to not only make them aware, but make them change their behaviour. So, when I was given the opportunity to present at the 2016 Security Awareness Summit, I jumped at the chance because,well . . . I’ve been here before.

I presented three topics; Graphic Design, Social Learning and Marketing. Took about 10 minutes for each one, and in that ten minutes I introduced an expert on the subject, gave a brief précis of the field, gave a resource for my listeners to read or watch and then a 2 minute exercise for them to try each day. Why those three? Because it’s not about awareness. It’s about getting our message in front of someone when they’re receptive to taking it in (social learning), making it stand out from the crowd (graphic design), and making that person want to change their behaviour because of it (marketing). And because it only takes a very little amount of knowledge of each field, 10 minutes or so, to start making our materials far more effective.

If I look in my crystal ball I don’t think that the Security Awareness profession is going to fragment the way that being a webmaster did 15 years ago. And that means we need to define what the skillset of a good practitioner in this field includes. I think that skillset goes far wider than technical and security related skills. I hope you agree.

BIO: John is an established Information Technology trainer, with many years' experience in Further and Higher Education and training in both the private and the public sector. He has been integral in the implementation of the Bank of England’s current security training programme, and is focused on the transition from passive compliance to active security.  John has been a software trainer for most of his career, meaning he has a strongly honed sense of the frustrations normal people feel when faced with new technology. Training is, after all, mostly watching people make mistakes because of unfamiliarity. (And then helping them!) Passionate about explaining the WHY as well as the HOW and a strong advocate that if it doesn’t look pretty (or at least professional) people will gloss over it.