It seems we have a lot in common with Luis Navarro of Symantec in relation to security awareness. Writing in SC Magazine, Luis lays out the key parameters and objectives for security awareness programs including:
- Justifying it to senior management via a business case;
- Planning (and hopefully delivering) the program in conjunction with various functions within the organization;
- Making the progam delivery 'continuous' not 'one-time' or 'discrete';
- Addressing everyone from top to bottom of the organization, including 'management';
- Measuring awareness and (implicitly) using the results to improve the program;
- Assessing the security environment to identify aspects needing more awareness;
- Promoting awareness of policies and responsibilities (since "investing time and money into securing the organization and its customers can be completely undermined if employees don’t understand their role in the security plan.");
- Delivering the program effectively, sensitive to the audience's needs.
For such a short article, Luis has done a good job to summarize a sound approach to information security awareness. The only significant element I can see missing is the need for security awareness, training and education for IT professionals: if we expect our IT gurus to build, manage and maintain security IT systems and networks for the organization, surely we need to make sure they have a good understanding of the objectives and practices of information security? Information security is extremely important to many more IT pro's than those working in the Information Security Management Team, yet few organizations seem to appreciate this. Perhaps they just assume that IT pro's have already been trained in infosec, and that they are well motivated to make their systems secure? Sadly, in my experience, this is simply not true, meaning that this is a common corporate blind-spot.
Read our white paper and Managing an information security and privacy awareness and training program for lots more on this topic.