Secure-DNA Security Consulting Hawaii Honolulu Outsourcing Hawaii Honolulu IT Security Consulting Hawaii Honolulu Security Outsourcing Secure-DNA Profile Security Events Hawaii Secure-DNA Contact Information
 
   
   
Click here to see all blogs >>  

Too many companies today consider security awareness to be a policy to be written, a handbook to be signed, and a checkbox to complete.  I like to call this security un-awareness because if you are aware of security at your organization then you are more than likely aware of how difficult it is to create a security "aware" company.  In a 5,000 employee company, having 5 security people and expecting that they are responsible for security, is a misconception that can prove to be dangerous.

Senior management needs to understand that there are actually 5,000 individuals that are responsible for the security of the company.  This responsibility needs to be clearly articulated in employee job descriptions, job performance reviews, and department meetings.  Division directors need to be measured on how well their teams have complied with security requirements and whether they appropriately handled security issues within their area of responsibility.  

We as security professionals know that "there is no patch for human stupidity" so what do we do?  

#1 - Pull yourself out of your office, cubicle, or data center and get out into the operating units to evangelize security.  Schedule these meetings like you would any other important meeting - why?  - Because putting a face on security in your organization is an IMPORTANT meeting.

#2 - Kick, Bite, and Scream until you are able to get a meeting with the Executive Team at your organization.  Do NOT take responsibility for security awareness until you have had a chance to sit down with the Executive Team and discuss the challenges and obtain buy in that it is in fact EVERYONE's responsibility.  They need to be aware that while the Security Officer can create a framework for management and monitoring of an awareness program they will need the participation of 5,000 people that are not under their direct responsibility. 

#3 - Hopefully at this point you still have a job and you've obtained buy in from the Executive team - if you have then you are more likely to succeed in helping to secure your organization than your counterpart at ACME corp. who can present a listing of everyone who has signed his/her policy acknowledgement and can present a list of individuals, to their auditor, demonstrating all the people that have taken the online Computer Based Training.

#4 - Manage your auditor.  I see too many auditors that audit security awareness by asking to see the paperwork supporting your security awareness program, the lists of people who signed your acknowledgement document, and the % of employees who have taken the annual training.  That does not measure security awareness; it just fulfills some compliance checklist.

If you are really concerned about security awareness have a real test done.  Hire a firm to perform social engineering attacks against your employees and you'll see how "aware" your organization is.  Don't have the money?  Do it yourself - just open your eyes and see what you may have been ignoring (people holding doors open for others, emailing their passwords around, providing their passwords over the phone to IT support, backup tapes left in public areas).  Call a few individuals in your organization on your cell phone pretending to be from IT support and tell them a critical software upgrade is going on and you'll need to configure their application or they may be kicked off the network.  Walk them through obtaining the IP address, System Name, DNS Servers, and then finally ask for their password - you may be unpleasantly surprised.  

Creative social engineering is the ONLY way to measure the effectiveness of your security awareness program.  Think back to the objective of your program "Educate users of computer systems within my organization so that they will be able to deal with specific threats to our information systems."  If you don't try to mimic those threat agents (whether calling them up to trick them into disclosing sensitive information or even sending select individuals an email from an outside address to see if they in fact do click on links in emails) how can you provide an effective measurement of awareness.

Without doing this you are setting yourself up to fail - no matter how glossy and coordinated your "awareness program" looks like from the outside.

 
anlusa Says:
I have read it.Exellent article,i like it.<a href="http://www.shoescollects.com">christian louboutin</a>.[url=http://www.shoescollects.com]christian louboutin sale[/url]
   
Leave a Comment:
Name
Email Address
Audio Version
Reload Image