There is plenty of technology that can be applied in all manner of ways to help protect against a breach, but if the employee culture doesn’t embrace being mindful of security, it makes the CISO’s job a little harder.
Most likely your organization has implemented some type of information security awareness training. It’s not only a smart thing to do, it’s required by certain security standards – NIST, PCI DSS, to name a few.
12.6 of the PCI DSS: Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
And, 12.6.1 educate employees. And 12.6.2 employees must acknowledge at least annually that they’ve read and understood the security policy and procedures.
So you’ve implemented a program and the employees have been storming the Learning Management System to take the security awareness training, right? They’re all very concerned about meeting the regulatory standard, right?
There’s a lot of different training approaches. Training can take the form of classroom, paper, on-line courses. Good content, with ease of use is important, as well as the ability to track the completion of the course by the employee population. Tying it into the overall company policy as well as job requirement of the employee is also an idea.
Making the training fun also helps. A good instructor or well-written content assists in keeping the attention of the trainee and aids in retention of the material. If I had Jerry Seinfeld come in to deliver some security awareness training, I bet it would be a well attended event! And remembered!
Seriously though, security awareness of the employee population is important, and needs the support of senior management all the way down through the organization. The well meaning, but un-trained employee is generally the weakest link within an organization. (Oh, do we have some Social Engineering stories…That’s a different blog.)
Sr. Account Executive