VA people sacked or trained

It's old news but I've just been reading about the Department of Veterans Affairs' response to the theft of a laptop containing Personally Identifiable Information from a VA employee's home. The response is in several parts:

1. "The VA announced the appointment of a special adviser for information security.
2. "Members of the senior management team were forced to retire or resign and the hapless employee and his line managers were all sacked."
3. The Secretary of State has ordered all VA employees "to complete an annual data privacy and cyber-security awareness training course immediately".
4. Senior officials at the VA have been ordered "to compile an inventory of all workers and contractors who need access to sensitive data."
5. Senior department managers have been told "to remind staff to protect sensitive information"
6. A "security review of all laptops" has been ordered.

The 'annual data privacy and cyber-security awareness training course' caught my eye. An annual course?! VA employees are likely to be riding high on a wave of security awareness arising from bad publicity about the incident but putting them through some sort of training course once a year is more or less pointless. Imagine if roads only had one speed sign every 1,000 miles. Or if big trucks only beeped once when reversing. Or if Coca Cola put all its budget into one advertisement per year. It's crazy. The VA (or rather their US Government bosses) are missing a trick. Telling staff to 'remind staff' about their responsibilities to protect sensitive information , if that's all they said, is hardly proactive.

Perhaps we ought to send them a link to NoticeBored?

Elsewhere I've been reading that "Your common sense is the world's best firewall. Just make sure that you turn it on." Likewise Ira Winkler is constantly telling us that common sense is not common but people need "common knowledge" i.e. information to make sound judgments about information security.

Citigroup seems to 'get it', judging by their advertisement for a London-based information security engineer: "The candidate will be a good communicator, capable of producing viable solutions by distilling the assumptions and requirements of the customers. The candidate will be required to promote information security awareness through interaction with technology peers and customers."