Security (b)log - English edition: September 2025

Photo by author

I love this traffic sign. In other European countries, the warning for playing children is a neat triangle, just like all other warning signs. But in Croatia, they literally thought out of the box.

This sign powerfully expresses what it's about: playing children are unpredictable and can suddenly run into the street – breaking through the boundaries of their safe environment. The sign is also large and has a striking background color. You’ll find it in every village and city.

If you look under the sign, you’ll see an example of the opposite: a sign that raises questions. The sign prohibits vehicles over five tons from driving here; that’s clear enough. But there’s a sub-sign indicating that the rule only applies to trucks. Now I challenge you to name a road vehicle, not being a truck, that weighs more than five thousand kilograms.

But since I felt a bit unsure, I checked with AI: 'Are there road vehicles, not being trucks, that weigh more than 5 tons?' And yes indeed, my view was too narrow: the universe doesn’t consist solely of regular cars and trucks, but also of more exotic vehicles on our roads: heavy SUVs and pickup trucks, large RVs, special vehicles (Copilot mentions mobile medical units, mobile offices, and film production vehicles), and agricultural and construction vehicles. These are not trucks, but they are too heavy for this road. Unless that sub-sign is present.

Then you naturally wonder what the actual issue is. Apparently, the road (or is it the bridge on the left in the photo?) shouldn’t be overloaded, but a heavy load only seems to be a problem if caused by a truck. In the past, you’d have had a good discussion about such matters with colleagues, but well, remote work, right? So I asked AI again and it turns out that the weight itself – or as Copilot correctly calls it: the mass – doesn’t have to be the problem. Maybe they want to reduce noise pollution or improve traffic safety. I’ll leave out other AI arguments here because I find them less convincing.

Two signs, two totally different experiences. One causes a wow-effect and was the reason for taking this photo, the other raises questions and only stood out when I looked closely while writing this blog. Is that a problem? I don’t think so. I’m not the target audience for the second sign; my driver’s license only goes up to 3.5 tons. While driving, I wouldn’t even notice it. The first sign, however, should speak to every driver. No one wants to run over a child.

It works the same way in information security. Some things are important for everyone, like practicing good password hygiene and being alert to phishing. The importance of other matters depends on who you are. A network administrator must ensure no one gets uncontrolled access to the company network, while someone in finance must be careful not to pay fake invoices. That means we need to tailor our awareness efforts to the audience. But unfortunately, information security professionals in many organizations are too busy to differentiate their awareness activities. And so we end up with well-intentioned but sometimes too generic education.

How can we break through that? If hiring extra staff isn’t an option, maybe we can enlist help from the target groups themselves. Often, there are already people who are quite aware of the specific risks their team faces. They’re eager to share their knowledge and skills with their direct colleagues. We can support them by giving them a certain status. In some organizations, they’re called security champions. I think that’s a great title. They are our champions in the field. Let’s cherish and support them.

Will you be our first security champion?

Next week, due to a busy schedule, there may be no Security (b)log.

2025-09-05

Champions

And in the big bad world …

Champions