bsidesaustin2019

Public health frameworks use a multi-level tiered approach to describe prevention interventions used with medical concerns, behavioral issues, and more. Not every intervention is appropriate for every situation, and no one wants to waste resources by focusing on the wrong thing! Just like a flu shot will not help someone who is dying from a bullet wound, basic security awareness classes and incident response plans are very different types of interventions - although both are crucial in their own ways!

In this talk, this social-scientist-turned-compliance-consultant will discuss how this approach could be applied to information security efforts by re-framing how people think about the programs, policies, and best practices that they are being told to implement and/or follow. This extended analogy can be used to bring people from all departments together to improve buy-in across levels, increase policy adherence, and ultimately make your data safer and your company less susceptible to the consequences of noncompliance.