I've been doing the rounds again and saw a great quote from Alex (RiskAnalys.is) on Michael Smith's blog: "Interestingly enough, the goal of security awareness is the same as war - to change the values of the culture. How about that?"
Michael has just produced what he calls a CISO's book of death too.
It seems to me that they have stumbled across something here which all CSO/CISOs will recognise. Getting anyone to listen to anything to do with security is a fight, and you often need to be sneaky and subtle to get your objectives achieved. I've been talking on PCI Compliance Demystified to a guy (Andrew) who, like me, lives in Spain, but works offshore in Gibraltar for a gaming company. To cut a long story short, he's having issues getting the PCI program off the ground and is starting to use "tactics". Some of the things he's done are great, and similar to things recommended by Mike Rothman in "The Pragmatic CSO", some of them are a bit sneakier. These are the ones I particularly like.
Anyone else have any interesting stories about how they managed to get a security issue recognised or a program successfully implemented against the odds? Let's hear it, there's a prize for the most inventive and original if it's true.
And if you can get to Barcelona to pick it up.