Essential Roles

Another essential role of information security is in properly distributing the policies. Having a perfect set of policies and standards is one thing, but if it’s never put into the hands of those who do the work, it is of very limited value. Security awareness training must be more than just a checkbox we check to get through an audit. Awareness of corporate policies and standards should be provided through formal training, but also gorilla marketing, regular staff meetings, reminder emails, and performance reviews.

Once the policies are in the hands of our entire staff, it is up to them to successfully implement data security. Whether the policy is password complexity rules, sensitive data handling, or secure coding standards, we depend completely on our employees to implement it. We cannot overlook any employee group; even the least likely-seeming employee will have access to our organization, and could be used as a jumping off point for an attack. A thorough and consistent security message, delivered to every area of the organization, is required.

In order to ensure that each employee hears the appropriate message, we need to customize their training to their daily experiences. There are some areas that every employee should be taught (secure password rules, avoiding tailgaters, how to spot an intruder), there are many others that are essential in departments, but unnecessary for others (secure coding standards, firewall configuration rules). By tailoring the training to the intended recipients we successfully reduce the amount they need to be taught, while make the training both more interesting and more effective.