It’s All About the People & Its Driven From The TopA vast number of tools and providers are available to help implement security awareness platforms and yet all of them can fail if the focus shifts to simply installing the tools or, even worse, performing to their metrics. Much like “teaching to the test,” companies run the risk of training their employees to satisfy the metrics without developing any true awareness. Leadership needs to step forward in the initial phase of developing a program to clearly and consistently deliver the message that IT security awareness is an integral job function for the entire organization. The technologies and vendors will certainly be critical for any implementation; however, it needs to be made clear that these tools are the yardstick by which success can be measured, not the indication of success itself. The reality is that most organizations will or are attempting to evolve their IT security awareness after many other business rules have been defined and in every case, this process will be ancillary to the main goal of the business (delivering goods and/or services while returning a profit to investors/owners). Thus, budget constraints, process changes and other impediments are sure to crop up. One of the great services management can provide is to avoid the blame game. IT systems continually increase in complexity, as does the threat surface looking to attack and exploit them. As the primary goal of IT is to provide the tools that allow the business to deliver those goods and/or services at a profit, chances are vulnerabilities exist in an organization’s networks and systems. Remediation of these issues is obviously a concern, however, the focus of any IT security awareness program should be the development of policies and processes to avoid repeating these exposures in the future. Essentially, the idea is to not make the same mistake twice. If management develops security awareness as a culture and not a scorecard, success will be much more likely.
You Can’t Miss the Shots You Don’t TakeIt can be argued that building a truly secure IT platform is fairly simple – just lock it in a room, and never plug it into anything else! There is always the inherent balance between function and protection, thus IT security will always be a practice of risk management. When implementing an integrated IT security awareness program, you should strive to develop a corporate mindset that considers the security implications of desired IT changes. The individual issue may be a user wanting to view a .PDF file from a stranger, an AppDev employee asking for specific network connectivity, a vendor asking for an extranet connection or something else. The objective is not to have a laundry list of yes/no responses, but to instill at all levels of the organization a mindset that asks: “What are the potential risks and benefits of this action?” From this approach, the various IT security tools and approaches provide the visibility to answer that underlying question and the means by which decisions can be monitored to see if the evolving landscape changes that risk/reward scenario. About the Author: A graduate