Information security is an exalted field. Exalted both in the sense of "noble" and in the sense of "inflated". We practice security as a dark art, a complex discipline of insiders with obscure acronyms. Even more than other areas of IT, security professionals are a "special" breed, as one can clearly see by the many certifications following our names, almost like titles of nobility. Yes, security is complex and esoteric. No, it should not be the practice of the few, but the practice of the many.
I've often talked about security awareness and education as the least expensive and most effective security investment. If this is true for large organizations, it is 10-fold so for small business. The luxury of staffing a security department is absent but the need for security is just as big.
To take that thought one step further, I urge that we democratise the practice of security in our businesses and institutions. We must think of security for the people, of the people and by the people. It's time to renounce our titles of nobility and make security accessible, participatory and popular.
What does this mean in practical terms? It means expecting more from users and giving them the knowledge and tools to be lead actors in their own security. We must move beyond security awareness to security action.
Look at most corporate security policies: a long list of "do's and don'ts" heavily skewed on the "don'ts" side. We want users to change their passwords every so often, but apart from that we don't expect them to do much, only refrain from the bad things. We see users as obstacles to security, as those most likely to screw it up and cause problems. Our users oblige: they assume security is "handled" by someone else, it's someone else's problem.
Users won't take security responsibility if our expectation is that they are the problem. It's the same in society: rulers used to claim that the masses were too ignorant in the ways of the world to have a say. Well, it's not until you give them a say that they have any reason to be informed, involved, active. Users are much smarter about security than most security professionals give them credit, and that's in the context of low expectations and no training.
If we look back over the last 10 years, we will notice that users have become a lot more savvy about security. Over time our users have learned to be suspicious of email attachments, links, phishing attempts, spam and obscure websites. They are more careful with their passwords, laptops and media. Most of that improvement has come from their own efforts to learn from mistakes. Imagine what would be possible if we actively trained them in security, if we increased our expectations and empowered them to be active participants in their own security.