It’s often said that technology is only part of the answer to securing increasingly complex information systems. The other crucial element is people. And organisations that actively engage employees in security awareness and the social interaction of technology also tend to have the best IT security. In fact, you ignore the impact of the human factor at your peril.
Security awareness is about making sure your employees understand why IT security is important, and more critically about how they should interact with technology to protect the company. It’s also important to recognise that organisations are very diverse and therefore making the right connection between new information technology, security policy and social action requires targeted promotion and effective communication.
Once your employees have internalised security guidelines, they are much more likely to protect the company against industrial espionage and loss of information – business-critical factors that cannot be addressed with technical resources alone.
However, promoting a strong security culture takes time, resources and a high level of commitment. It also should include awareness and relevant training in IT security that is tailored to each business unit and group, reflecting an understanding of what’s important to employees locally and aligning their values and existing corporate culture with a core set of security skills. This is especially true for international organisations, where what works in one country may have little or no impact in another.
Right roles, right commitment
At HPE, we believe the best approach is a programme driven by an awareness campaign leader whose job is to build an interdisciplinary security team with representatives from HR, Corporate Communications, Compliance plus other functions that have an influence on employees. Securing the sponsorship of management as role models also is a critical part of the campaign lead’s role.
It’s the goal of the collective team to implement dynamic and tailored awareness campaigns, training and tools as well as monitor the effectiveness of the programme – improving content continuously in response to evidence and feedback.
Interestingly, where security awareness is just one of a number of responsibilities, there rarely is enough time to create proper plans and implement models that engage across multiple stakeholders. Therefore we believe the communication and training manager roles are necessarily full time, supported by local security awareness representatives advising on what will work effectively in individual countries, business units and territories.
At the end of the day, a positive and empowering security culture is one of the strongest defences against increasing threats to security. And if you want to embed it in your organisation, then you need to dedicate the right level of resources to make it happen. Equally, it takes commitment from the very top to give it the focus needed to effect what is in reality, a major shift in culture.
Read the Awareness is only the first step white paper to learn more.