What are good ways to educate about IT security in a company?

What has worked on several occasions for me is to stick the following chart in front of management:

alt text

Run down the list of threats (left column) and ask if they believe if any of those type people described may harm the business.

If so, then you may have won a battle. Now you can describe what is needed to address each of those threats.

@atdre had a great comment about this chart on a different question:

I don't like this because it doesn't convey the power of collusion or conspiracy. The underground community and underground economy puts all of these guys in the same room together and gives them tools to trade. – atdre`

So you may want to extend the list of threats to include communities.


Launching a "simulated" attack against your company's network should only be done with explicit, written permission of senior management based on an understanding of the scope of your work and agreed limitations on the results of your attack. Otherwise you risk getting yourself fired for sabotage, espionage, or just plain violating local rules.

But how do you get such permission when there's no awareness of the problem? That's where your "elevator pitch" idea is a good one. I'd recommend taking it to the relevant people in the company hierarchy in the correct order, starting with the IT staff before you go to the management/C-level/directors. The management have delegated responsibility for day-to-day operations to the sysadmins, who are the people who will ultimately have to make any changes. Presenting your suggestions as an edict from on high will only serve to alienate the people whose job it is to implement those suggestions.


The conversation about security with the people with the money is always a conversation about risk. Do not do over-dramatised elevator pitches, or run around screaming about the end of the world. This is an easy way to become easily discredited and generally ignored. Instead, talk to the business about what they're trying to achieve with their systems, and then present the current risks they're carrying as a result of their (lack of) security controls.

If you can convince the business that they're carrying a risk that will cost them £10 million pa in incidents, that you can eliminate with a £100,000pa control, it's a no-brainer. They'll jump at the chance to cheaply reduce their total risk.

Everything that the business spends needs to be justified in the context of the business. "We have no antivirus on our public Windows-based webserver" is meaningless. "We're vulnerable to have our service disrupted about once a year costing £2million each time" is meaningful.

Once you've got your fancy new set of security controls built, the challange them is keeping them effective. Security is about process as well as technology. Once you've convinced the business to spend some money reducing their risk, the problem then becomes altering the perception that security is something you buy. In actual fact, it's something you do.