Developing a Security and Privacy Awareness Program

Thursday, June 23, 2011

Allan Pratt, MBA


What You Need to Know to Develop an Information Security & Privacy Awareness Program

There is no doubt that we are all tired of hearing about security breaches. From Epsilon to Sony to Sega to Citigroup, computer users wonder if anyone cares about online privacy and security.

Well, there is one person who always has our interests first and foremost: Rebecca Herold. Recognized as one of the “Top Influencers in IT Security,” one of the “Best Privacy Advisors in the World,” and holder of five professional certificates (CIPP, CISM, CISA, CISSP, FLMI), Rebecca is an internationally-known author, blogger, instructor, and consultant specializing in information security, privacy, and compliance.

Rebecca’s book, Managing an Information Security and Privacy Awareness and Training Program (second edition) is the definitive read on the subject, but it isn’t just for infosec professionals. It offers a wealth of data for professionals in all business units in addition to techies.

As Hal Tipton wrote in the foreword, “Information security is now realized by many experts to be more of a people problem than a technical one.” Daryl White, former Chief Information Officer for the US Department of the Interior, said in 2002, “You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable.”

Rebecca wrote in the book’s introduction, “As time goes on, and more and more information security incidents and privacy breaches occur, I continue to hear otherwise smart people say silly and completely wrong statements about the need for (or lack of) information security and privacy training and awareness… In almost every information security incident and privacy breach, humans were ultimately the cause… I hope this (book) serves as a type of cookbook for your education, tips, worksheets, case studies, ideas, resources, and research on regulatory requirements for education of which practitioners must be aware.”

When security breaches occur, many things happen. Customer trust is lost. Customers go to the competition. Brand value disintegrates. Breach response activities result in significant costs to the business. The time involved for breach responses can go on for years, and resulting penalties and sanctions could extend into the millions of dollars.

There are two basic components to a security and privacy awareness training program: corporate reputation and personally identifiable information (PII).

Companies succeed as a result of sales and repeat business, and if their reputation is tarnished, they may lose all of their customers. Successful companies identify their target audiences, develop media strategies, develop procedures to address customer complaints, and establish and maintain security/privacy/crisis management protocols.

Further, to gain and keep customer trust, successful companies must use good judgment when collecting and maintaining customer data – and these companies also provide clear opt-out options on all communications on a constant basis.

A great take-away can be used immediately in creating your own information security and awareness training program: here are five ways in which personnel can be motivated to participate in a training program and comply with policies and procedures:

  • Include security and privacy as specific objectives in job descriptions.
  • Periodically require personnel (including vendors and consultants) to sign a security and privacy agreement that supports your organization’s policies and standards.
  • Establish security and privacy as specific objectives within the scheduled periodic performance appraisals.
  • Obtain support from executive management to commit to explicitly reviewing the security and privacy performance of all managers.
  • Implement security and privacy rewards and penalties that are clearly supported by management.

Since education is so critical to the establishment and maintenance of an effective and long-lasting information security and privacy awareness training program, Rebecca also suggested that any or all of the following accompany performance appraisals:

  • Participation in an annual security and privacy promotion week.
  • Exemplary daily clean desk practices (e.g., no more post-its with passwords attached to computer monitors).
  • No infractions found during security and privacy reviews.
  • Promoting security to team members by writing memos, giving presentations, etc.
  • Reading security newsletters on the company’s Intranet.
  • Participating in information security and privacy training.
  • Notifying team members of newly discovered security risks and how to address them.
  • Viewing information security videos.
  • Participation in information security and privacy contests.

The key is that information security and privacy awareness must become part of an individual’s job – something that becomes second nature like effective time management practices.

When employees become lax or leaders stop focusing on the importance of information security and privacy, well, we don’t want to remind ourselves what happened with Epsilon and the other companies who have been in the news recently.

Also, the information must be clear and engaging. If it is complex, employees will avoid reading the information like the plague.

As Rebecca suggests, “Make it easy for personnel to get security and privacy information, and make the information easy to understand…[And] the most important aspect to remember is that security awareness is ongoing and not just an event to do once.” Bottom line: make information security and privacy awareness training a regular occurrence.

Cross-posted from Tips4Tech

Possibly Related Articles:
Security Awareness
Information Security
breaches Privacy Enterprise Security Security Awareness Employees Policies and Procedures
Post Rating I Like this!
Rebecca Herold Thank you for your review, Allan. I appreciate you for taking the time to read my book and then sharing your thoughts about it! -Rebecca
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.