If you walk the corridor of many large enterprises and peer into the cubicles, you will see an increasing practice of information security posters being hung. A corporate investment in eye-pleasing glossies surely means business.
Reality states otherwise! Why does the glossy not
mention the various breaches and information leaks that have happened over the past
year? Root cause analysis of majority of the fatalities end up at the
ubiquitous "operator error" dead-end. Not one single solitary information security systems audit has
addressed root causes or system gaps that have resulted in the
fatalities. But there are plenty of posters of Security and Privacy all over the
Posters and more posters to implement
"communicate, over communicate till the message hits home and results in
action". All this is at best wishful thinking. When there are many
posters, they will become part of the furniture and people will ignore
them. Wouldn't it be fascinating if employees were randomly interviewed in the hallway as to why they hang these posters? I bet many people wouldn't be able to explain security beyond snide remark that some executive felt it was important.
Every bit of communication needs to be well thought out, and
certainly not be a space filler or part of some mindless mass campaign
with no clear objective. If we are to be successful in evangelizing the importance of information security, it is vital that we assess what
each and every poster and visual communication seeks to achieve. To be
taken seriously you need to take yourself seriously. In the same way,
for visual communication to be taken seriously, it needs to stand out
and be connected with other things that are happening at that work place
and not be part of clutter.