Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Oct 17, 2014

To eat a chocolate elephant, take small bites


Instead of, or rather as part of, fostering a corporate security culture (a grand but nebulous objective), identify specific aspects or elements of the culture that most need to change and work on those more constrained issues. 

For clues about which aspects need addressing first, speak to your IT auditors and check the security incident reports and security metrics.  For example, if the organization has a longstanding, seemingly intractible problem with noncompliance in the security domain, focus on compliance awareness.  Get some traction on that, measure the improving awareness levels, and move on to the next topic.

You can get as detailed and specific as you like in your planning.  Is the noncompliance problem mostly about legal and regulatory obligations, or policy compliance, or contractual compliance, or something else?  Is it all about privacy, or are there other compliance concerns such as governance and intellectual property rights?  Which parts of the business are the worst?  What have the noncompliance incidents, enforcement/penalties and compliance efforts cost the company to date, and which were the most costly types of event?  Are there particular layers (such as junior management), departments (such as Procurement) or business units (such as, say, some far-flung office that pays scant attention to corporate directives) that lag the field?  Awareness surveys and various other PRAGMATIC information security metrics will enable you to answer such questions and generate a credible basis for planning - also by the way a means to manage, maximise and ultimately demonstrate the value of your awareness activities.

Alternatively, don't worry so much about the micro-topics and the delivery sequence but take a longer term view.  Concentrate instead on the breadth of coverage, the quality of the materials and the effectiveness of your awareness program: naturally, we recommend a NoticeBored subscription.  Your organization will be relatively aware of some of the information security topics we cover, which is no bad thing.  The NoticeBored stuff will reinforce and encourage secure behaviors, and we may well come up with novel angles that you hadn't even considered. For instance, do your security compliance activities pay any attention to business partners' compliance with the obligations your organization imposes on them?  We'll help you pick up on all those issues and more.  Over time, we'll help you consume your choccy elephant.

So what are you waiting for?  It's not going to eat itself.

Regards,