Editor's Note:This guest blog post is from John Andrew at Honeywell.

How do we persuade folks who are resistant to 'Security Awareness' efforts? Great question! I was fortunate to pick up a rare last minute opening - to go on a 3 day backpacking & camping trip at Cumberland Island National Forest on the coast of Georgia. The backcountry orientation by the National Forest Service was great.  One of the first things they brought to our attention was an old ‘Smokey the Bear’ poster. The poster began… 'Repeat After Me… Only you…' [Readers fill in the blank – there was no additonal text on the poster] We all knew how the 'awareness message' ended.  Had it down cold.  'Only you … can prevent forest fires.' Sharing this story is a roundabout way of saying that effective ‘awareness’ campaigns become part of the culture in great part because of persistence.  The interesting thing is that once the awareness campaign takes root – most people will not forget the concept – or in this case the very words used in the campaign – for the rest of their lives. Getting executive or manager ‘buy-in’ is a huge part of getting an awareness campaign moving.  Perhaps reminding 'resistant' folks of the Smokey the Bear campaign would be effective in persuading them to go beyond a 'Check-the-Box' mentality.  Show them the poster (it's freely available on the Internet if you Google it) – and ask them to complete the sentence. My bet is that 9 out of 10 folks exposed to the Smokey the Bear campaign will get the message.  If they don’t know the poster because they are not from the US – share with them that folks exposed to the campaign remember this very effective awareness campaign 30+ years after they first saw it.  Well done awareness that leverages persistence is extremely effective – and permeates the culture for a very long time! Go beyond Check-the-Box and reach for changed behavior.

John Andrew's Bio:  John supports Honeywell Global Security Awareness efforts as a Project Manager (PM).  His IT experience has been varied and extremely interesting, requiring massive amounts of lost sleep.  John has been involved in systems development, database administration, ERP implementation and Security, SOX Compliance, IT Audit, PM for Vulnerability Assessments / Penetration Testing efforts, and various Corporate and IT Risk Assessments.  His interest in IT and Network Security began with his tenure at Internet Security Systems (now IBM) – where everyone from the CEO to the janitorial staff ate, drank, and lived security.    

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.