The Australian Cyber Security Centre (ACSC) released a new video on Thursday afternoon, "Recognise. Report." It's fronted by so-called comedian and radio presenter Merrick Watts. And it is, to reflect a word that cropped up more than once in people's responses on Twitter, cringeworthy.
Watts walks us through his message from the fictional Department of International Cyber Security (DICS), accompanied by a series of really, really obvious character stereotypes.
The nerd is fat, bespectacled, unfashionable, and lacking a sex life. The dodgy pizza delivery guy is of Middle Eastern appearance. The one woman on-screen has to defend herself against the advances of a male colleague -- and that public servant is uptight and pompous. And so on.
Information security professionals should indeed cringe at this crass portrayal of the problems we face. But information security professionals are not the target audience, nor are the clever people who read this column.
No, this video is meant to be a conversation starter, and the target audience is the vast number of ordinary citizens in offices, factories, and workshops across this vast brown land. People whose knowledge of anything cyber extends no further than whatever they've seen on TV news and in bad movies. You know the ones.
As the ACSC Coordinator, Major General Steve Day, told ZDNet via email, "The video is aimed at a non-technical audience and can be used by organisations to help educate their staff on the cyber threat."
Indeed, this video would integrate nicely into a one-hour group training module. Start by showing the video, then lead the group through some discussion questions. What risks to the organisation did you see in the video? Explain why they're risks. The risks were depicted with stereotypes, so why is the real world more subtle? How would you be more vigilant than the bunch of DICS in the video? What incidents have you experienced or heard of that the group might find useful?
Once you've brought everyone up to the end of this very first page in the cybersecurity handbook, then you can start on the trickier stuff. Inoculate your staff against phishing attacks by punching them in the face. Build resilience through things like the SANS Institute's Securing the Human program.
This is precisely the stuff that Gartner talks about as people-centric security (PCS). It's precisely the point Deloitte made this week, noting that Australian businesses are still spending too much on infosec blinkenlights and too little on resilience.
As Gunnar Peterson blogged on Thursday -- the infosec guy, not Kim Kardashian's personal trainer -- we face a serious infosec skills shortage. Security teams have to get better at letting other people do the work.
"Function in large part in an advisory role. Reagan and the CIA in the Cold War come to mind. Instead of fighting a hot war all over the globe, send out advisors and train and arm the rebels. That is way cheaper, gives you better coverage and scale. We cannot implement everything inside of infosec, we need other teams to help. Dev, QA, Ops, those teams in turn need training and tools to be effective," Peterson wrote.
"Don't like [the] Reagan/CIA example? Fine. Try Charlemagne."
Which brings me back to the ACSC video...
Yes, this video cost $203,199.70 to produce. That's nothing. It's about two episodes of "Deal or No Deal". In defence and national security budget terms, it's back-of-the-couch money. It's less than a tenth of a cent per Australian citizen. If it causes just one person to stop and think for a moment thanks to a half-remembered corny joke from Merrick Watts -- if it stops one serious intrusion ever -- it will have paid for itself.
Sure, the video is sexist, racist, phobic of a few other things, and generally awful. But let's face it: "Sexist, racist, phobic of a few other things, and generally awful" is a fair description of its Australian target audience. This video is sure to be a winner. Well done, ACSC.