Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael R. Farnum

Hitting the Security Nerve

Security awareness training does not have to be hard

2 comments

IT TOPICS:Security

Security awareness training is is arguably the most important part of a successful security program. Because the human factor is typically your weakest link, well educated and security aware employees go a long way in the securing of your environment. However, security awareness if often the most neglected part of a security program because of the sheer amount of work involved.

Here are some (not all) of the challenges a security manager faces when creating a security awareness program:

Creating curriculum
Making sure the curriculum is at least somewhat customized to the environment
The actual training itself (distributing for self-training or getting everyone to class)
Keeping track of who has taken the course
Testing to ensure the class is actually working
Tracking test scores and retakes needed
Security awareness reminders (posters, login banners, mouse pads, etc.)

Some companies have education departments to help with this, but most are not that fortunate. So what is a security manager to do to overcome this hurdle? Fortunately, there are resources. There are people who have done this work already so you don't have to. And there are companies that can even help build a complete security awareness program, complete with customized curriculum and tracking to take the burden off your shoulders.

The Computer Security Resource Center at NIST has a great resource page for security awareness that lists many companies and organizations that can help you. Sure, many cost money. But security awareness is one of those areas where you really can not afford to skimp. If you have to do it on the cheap, then you may have to get creative and use all the free resources you can find. It will be more intensive on you, but it will worth it.

Email this

Digg this

What People Are Saying

Add new comment

Building security awareness

Submitted by Hackad on December 18, 2006 - 4:12 P.M.

Building security awareness is not an issue of information - there's a wealth of security training information available.

It's not an issue of cost either - a few thousand dollars can create a very compelling online training program that can be available around the clock and around the world.

The problem is people but not the people who are usually blamed. Most security professionals are not security educators and don't know how people learn.

They typically don't understand that simply giving employees information will do little to permanently change user behavior.

Like so many security issues the problem lies with senior management. As a security consultant with 25 years in the business I'm still amazed at the number of CEOs and CIOs who still don't believe employees have any real role to play in protecting their workplace.

The commitment to employee security awareness must be just as passionate as the commitment to customer service and product quality.

But when it's hard to prove any ROI, fat chance that will ever happen. Don't blame the employees, blame the boss. A few well publicized lawsuits against companies that have shown a conscious disregard for fixing this security gap could kick-start the security awareness industry.

Reply | Report this comment

Here's the hurdle I often

Submitted by Ron W on December 18, 2006 - 3:10 P.M.

Here's the hurdle I often have with security training: I build it, but can't get them to come.

What do you do when your organization has no training whatsoever?
What carrots or sticks do you recommend to drive attendance?
What can we do to get them to pay attention?

We're trying to lead a recalcitrant horse to water. How do we get him/her to drink?

Reply | Report this comment

Spam culture, part 3: Nigeria (and 419 scams)

Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM

Your next stop ... the Password Zone

Latest threat vector: Our mobile devices

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

All White Papers | All Webcasts