Mirriam-Webster defines Evangelist as follows:
1: often capitalized : a writer of any of the four Gospels
2: a person who evangelizes; specifically : a Protestant minister or layman who preaches at special services
3: an enthusiastic advocate <an evangelist for physical fitness>
I'm pretty sure you are not one of the writers of any of the four Gospels. While you may be a minister or lay speaker on religious topics, that isn't really what I am talking about either.
So that leaves the third definition to look at; an enthusiastic advocate. There is something that anybody can do. So let's restate the questions: Are you an enthusiastic Information Security advocate?
Not my job
Now I am sure at least one of the three of you who are reading this is muttering, "Not me, I'm not in the Information Security department. Its not my job." Don't hang up yet. I'm talking to you too
Of course we want the Information Security personnel in our organization to be enthusiastic advocates. We rely on them to protect our information assets. But they can't do it by themselves. They need the help of those around them. The job is just too big and too far reaching for one small band of people to tackle.
I'm not Enthusiastic about much of anything.
Okay, maybe enthusiastic isn't the right word. How about just plain advocate. Someone who believes in something and is willing to promote it.
So how do I do that?
Since we are not talking about preaching to the masses and enthusiasm may be a stretch for some. How about quietly influencing those around you by your actions. You know the cliche: "Actions speak louder than words". If we are educated and aware, a whole other topic we will be exploring, and conduct ourselves in a manner that displays said education and awareness, we are likely to have a greater impact on our surroundings than any amount of emails or announcements or posters or threats from above.
How do I become educated and aware?
It's your turn Information Security folks. We need to make sure that we are providing many opportunities for those who rely on us to obtain the education and awareness training that will help them help us. Our E&A programs are as important as, maybe even more important than, our firewalls, IDSes and other technical controls.
I will end this by asking the questions again: Are you an Information Security evangelist? If not, why?