However, the same approach can be taken in an environment where threats are very real and very common: corporate IT. At a briefing last week hosted by security technology company Websense its CSO, Jason Clark, suggested that companies should actively involve every single staff member in security. "CSOs complain to me: 'I have got six people in my security team and I'm protecting this huge mass of infrastructure,' and I say to them 'How many people in the company?' They say 'five thousand' so I suggest making everyone of them a deputy security person for a couple of minutes a day."
Clark's suggestion is that companies encourage employees to be alert for and report any suspicious activity - such as phishing emails, phone calls asking for their password - by setting up a 'catch of the day' regime, where the reporter of the most significant threat is recognised and rewarded.
He had another suggestion: delegating to users responsibility for monitoring their own online activity to check for compromised devices by giving them information on outgoing traffic. "We say to them 'You sent seven pieces of data today. These are the destinations you sent emails to, and you sent HTTP from your iPad. These are the times and these are the destinations. Is that all OK?'"
He concluded: "It's a huge culture shift. Now you have a whole army of people in your company helping you. It's a great way to spend a little bit of money and a lot of extra resources."
But the culture shift is also the problem. It requires CSOs to have a whole range of interpersonal communications skills, something that many lack. This was reinforced by another comment Clark made, and by comments from IBM at another briefing the same day.
The average tenure of a CSO in the US is 16 months, Clark said, and lack of communication skills is the number one reason for their precipitous departures. "They might be very smart and very good at IT and they might know how to stop the bad guys, but they don't know how to articulate that. They don't know how to talk to the board and sell the business on why they need to do certain things. They start locking things down and they don't last very long. Either they get frustrated because nothing moves or the company gets rid of him because they are causing problems."
Over to IBM, which was briefing journalists on its white paper 'Truth Behind the Trends', a distillation of learnings gleaned from interviewing 87 IT leaders from companies across a range of industries "to understand how mobility, cloud and security trends are playing out 'at the coal face' of their IT departments."
Asked what IBM had learned from the security professionals in the sample Scott Ainslie, security expert, IBM A/NZ, said: "Security people tend to be somewhat introspective and a little insular. So it is always a challenge to get them to speak about the problems they have within their company. It was quite interesting to discover that they don't share information. As a consequence they think that the problems they are encountering are unique to themselves."
He was asked if he thought this insularity compromised security professionals' ability to protect their companies. His answer was unequivocal. "Yes...because it means they try and tackle their problems independent of external advice and from our experience getting external advice or seeking collaboration from similar like-minded people is very helpful. More often than not the problems they are facing are not unique and if they work together collaboratively their chances of finding a solution much greater."
US-based wireless networking company Aruba has just produced a white paper '20/20 Vision: Introducing the IT Pro of the Future' for which it asked 159 IT pros around the world - via an online multiple choice survey - for their views on how the IT industry would look in 2020. It also held focus group discussions with IT managers responsible for global strategy execution, and with their staff.
Eighty eight percent of IT pros responding to the survey said that communication would be a key skill in the future and 89 percent said that the communication of IT policies to the wider company would be crucial.
The whitepaper was not focussed on IT security professionals, nor was Aruba's conclusion, but it could well have been: "From upgrading security software to dealing with the chief executive that returns from a conference demanding that all employees are given iPads, the IT professional must be able to set expectations, communicate change, and create and enforce policy to all levels of the business. They must be able to simultaneously support the business and lead it to a successful future."
Such people are likely to be rare and highly valued. A report from Burning Glass Technologies, a company that develops technologies to match people with jobs, says that demand for cyber security professionals grew 3.5 times faster than demand for other IT jobs over the last five years and about 12 times faster than demand for all other jobs.
The Australian Government released its National Security Strategy in January. It had much to say about the need for cyber security, but made no mention of any initiatives to boost the number of cyber security professionals.