There is more to Information Security awareness than just compliance with any number of laws and regulations. Awareness and training typically deals with the qualitative. Much of what we do to help keep information secure and private is tied directly to people, their roles, and cultivating a 'culture of awareness' within the organization. Spending time with people, both 1-to-1 and 1-to-many, is essential in helping them better understand how to mitigate risk to the organization within their job role. Their secure business practices then aggregate to meeting applicable compliance obligations.
For example, without awareness, how are IT people supposed to know that they ought to be designing and using technical controls? How is management supposed to understand the information security risks the organization faces on a daily basis, or their part in ensuring that those risks are brought under control? In other words, security awareness is much more than just an annual briefing of the troops. Regular employees need to appreciate that they may be scammed and exploited for their access to corporate and personal information, and that there are numerous security controls that depend on them being alert and reacting appropriately to threats that may materialize at any time.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment