- Blog
- October 2009
October 2009
Published on October 30, 2009 by Karen Letain in News
Would love to hear from you about your challenges, here are a list of the one's that I have found in my dealings with our clients:
1. Having the organization provide end-user security awareness training with the proper priority status. Most often management does not see end user security awareness as being a priority and therefore is not behind putting in the effort to roll-out a full program that will have impact.
2. Developing a clear and consistent message about the importance of information security to both the organization and the individual.
3. Obtaining or developing materials that contain a clear message about security topics that are both interesting and motivating. Many organizations' see this as a huge obstacle and rarely look for existing materials available online or through a security awareness company. Instead, they feel the need to internally develop these materials which rapidly becomes an overwhelming project.
4. Getting the users to take a personal interest in information security and actually motivating them to take the training. Motivating users to take a personal interest in information security is extremely difficult. In most cases they feel the training is a waste of time and being pushed on them by either the technology department or management. They do not take any personal interest in the training since the organization failed to communicate effectively that the benefits of this training would protect them at home also.
5. Having individual users retain the training and have it result in the development and maintenance of safer computer usage habits. Many of our clients report that the end user takes the training but when doing random testing a few months after they are reverting back to old habits. Repetition of the training is key to addressing this challenge and using new and fresh communication tools. Often, however, this is not done.
Published on October 24, 2009 by Karen Letain in News
The foundation and basis of e-learning is traditional instructor led teaching. However, there is one fundamental difference in how the process is organized. Traditional instructor led teaching is a routine process with a static set of materials that are periodically updated but still based on a routine process. E-learning on the other hand, is often introduced as a project with a clearly defined schedule, objectives that need to be met and some form of budget.
The effectiveness of the method depends upon the goal of the training, timelines and the learning audience. It is not a question about looking at one form of training over another but rather the outcome or measurable results of one form over the other. All individuals learn differently, so it is important to implement a variety of methods, if possible, into your bag of learning tricks.
Published on October 16, 2009 by Karen Letain in News
Many security professionals are still struggling with how to manage compliance across the organization. They have implemented various technologies to harden their infrastructure but breaches continue to happen. Why?
There is a lack of consistent and coordinated rules across departments, functional areas within the organization and geographies if your organization is global. There is a lack of consistent codes of practice within organizations. Staff are still the weakest link in the security chain.
If we are to become proficient in managing risk and compliance, what do we need to do?
1. Standardize
a. Choose technologies based on best practices and public standards. Improve consistency and coordination across the organization by implementing rules and conducting internal reviews and audits to ensure rules are being followed
2. Manage Complexity
a. Review all compliance regulations and identify the common elements.
b. Fix those items where commonalities exist first and then plan next phases for technology implementation based on a reasonable time and cost analysis.
3. Educate
a. Promote the right behavior through awareness programs for all levels of end users in the organization and reward and recognize the right behaviors
b. Deploy a continuous training regime
c. Certify and maintain high security education levels among the IT and security teams.
Published on October 03, 2009 by Karen Letain in News
Before either reviewing vendor content or building your own security awareness training content you need to establish the goal of the training. In the many conversations we have with clients, when asked what the goal of the program is or will be, they find it very difficult to answer. Usually its because they were told to look at existing content or develop their own from their manager without understanding what the goal of the program is and how it will be measured. The goal of the security awareness program needs to reflect that of the overall goals of the organization and therefore it would be advisable to talk with the organization's CSO or CIO if possible.
It is essential to establish a goal as it provides the overall foundation for effective roll-out and evaluation of the training. The goal can be simple, such as: "all employees must become aware of the security policies of the organization" or "all employees must understand the basic security risks,understand their security role and be motivated to develop the necessary behaviors required to keep the organization safe. Better yet, it is recommended that you develop a list of items that the organization feels the employees need to be aware of. For example, this could include: How to properly classify information in order to keep it safe, transport and labeling of files, proper use of the internet at work, etc.
Setting goals for the program will also assist you in developing a bench mark or baseline method for initial evaluation prior to rolling out the security awareness program and will ultimately provide the foundation for your end of program evaluation.
