30 Jun 2010
The rôle of human beings is arguably the most important topic in information security. July's security awareness materials explain what it means to develop a “culture of security”, for example changing employees’ attitudes towards security, encouraging them not to tolerate insecurity but to comply with security policies and make things secure by design, and in general encouraging employees to behave more securely in whatever they are doing.
This was an enjoyable module to write, being our home territory, and I hope the topic resonates with our customers.
Reducing the number and/or severity of security incidents (compared to a culture of insecurity) is the aim, of course, which is about creating genuine business value. Cost-effectiveness makes a huge difference between improving security by changing employee behaviors compared to changing IT systems and implementing additional technical controls. Security awareness and training activities are significantly cheaper than new technologies. Best of all, they help the organization get more value from its technical controls too - a double winner.
CEO, IsecT Ltd.