Our own assurance measures kick into top gear about now with the impending completion of the next awareness module - specifically proofreading and final corrections on the awareness materials before they are packaged up for delivery.
Like any craftsmen, we take pride in our work. It's what we do, our specialism. We strive to make our output as good as we possibly can, a perfectionist streak that probably goes beyond what's strictly necessary. It flows from our deep-set belief in the value of integrity, both as individuals and as a business. It matters.
Quality assurance is integral to our production process. Checking our finished work (quality control) is the final stage and an opportunity for me to take stock. Having had my head inside the topic all month, it's good to step back for a look at the whole package of awareness goodies as it comes together. Provided the proofreading reveals few issues, I'm reassured that we did a good job, bringing the month's activity to a satisfying close. Hearing that there were "No errors found, no changes needed" always raises a smile.
As an awareness specialist and information security professional, it worries me when I hear people recommending awareness materials freely available on the Web because I know what that means. Sure there is stuff out there, plenty of volume and some variety, but what about the quality? I'm naturally critical thanks to that perfectionist streak I mentioned. I see everything from technical flaws, biases and glaring omissions, down to grammatical errors and speling misteaks - things that will surely confuse, distract and mislead readers if the materials are used.
I see a curious reluctance to invest in awareness, given that the substantial investment in antivirus software, firewalls, security guards and all the rest is enabled and enhanced by awareness and training. Does penny-pinching on awareness content reflect a lack of understanding and appreciation by management of the business value of awareness (due, I guess, to their own lack of awareness)? And what does it say about organizational commitment to information risk, security, privacy, compliance etc.?
While there are some gems, among the free materials I often spot logical errors, bad advice, inconsistencies, outmoded concepts and outdated examples ... and I worry about the same issues in our own materials, especially when we are pushing the boundaries by exploring new topics. We're not immune, we have our constraints and biases too. So when customers come back to renew their subscriptions, recommend us to their peers and express their gratitude for the materials, that's a real confidence-booster - the ultimate in assurance you could say.