Related Links

Top 5 Stories


Security awareness: the CISO view from the coal-face

24 January 2013

CISOs recognize that the user is ‘the most commonly exploited security vulnerability’ in their companies, but warn that there is no single one-size-fits-all solution to security awareness training.

A roundtable discussion forum of leading CISOs within the Wisegate community of senior IT professionals recently shared their own methods and insights into one of security’s most intractable problems: ensuring a company’s own staff understand security and operate accordingly. A strong theme to emerge from this discussion is the need for security to avoid operating as a silo within the company, but rather to integrate and work with other parts of the organization. This shows itself in two specific areas of advice – use the expertise of other company departments to help with the message, and break down any barriers between the user and security.

While it is recognized that the legal department must get involved in areas of compliance, CISOs should turn to the marketing and training departments and use their expertise in both developing an awareness program, and then selling it to the user. “We didn’t do that in the beginning,” says one CISO, “and a lot of what we thought that people were going to want was rejected... But working more with the people who have experience with actually training people and presenting things was, I think, a really smart move.”

But users are often ‘afraid’ of security people. “No matter how many times we try to demonstrate that it shouldn’t be scary for users to come and tell security ‘hey, we’ve got a problem here’ or to say that some control we have mandated isn’t working for them,” said another CISO, “people still seem to be hesitant to bring things up. Maybe they think we are just going to say no, or they’re going to get in trouble.”

The advice here is to develop a network of security champions or liaison officers within the different company offices. By belonging to users rather than security, these liaison officers are far more approachable than formal security staff. They can help relate security goals with the users’ business constraints; and help the security team find acceptable solutions.

However, while it is noticeable that CISOs recognize the need to fully use all expertise within their own companies, there is clear tendency not to engage with external awareness providers. In a separate survey across its wider community of security officers, Wisegate found that less than 1% of companies use only third-party training companies. A full 50% develop their awareness regime fully in-house, while 42% use a combination of third-party and in-house training. (Amazingly, as many as 7% do no awareness training at all.) The message for training companies is simple – just as CISOs need to be able to work with other elements within their companies to provide a tailored awareness campaign, so must training providers be willing to customize their offerings to suit individual companies.

“What emerged from the panel of security experts was an agreement that there is no one-size-fits-all answer to awareness training,” said Tom Newton, CISO of Carillion Clinic. "CISOs need imagination and perseverance to get their message across, and often innovative methods of training from third-party vendors can be quite helpful. We must instill in each employee they are ultimately responsible for information security.”

This article is featured in:
Compliance and Policy  •  Industry News  •  Internet and Network Security  •  Security Training and Education



cazwysocki says:

06 February 2013
I totally endorse this article. After three and half years working as an integral part of the IS team; brought in specifically to focus on education, training and awareness; reaching out into the organisation and engaging with staff we have learnt that humanising the Information Security team is key to success, as is reaching out to staff in simple straightforward terms that are relevant to their specific roles and activities. Obviously to evoke real culture change takes time and continual and innovative communications and training. The human factor is the biggest risk to information security, so why not give it proper consideration and use experts to do the job properly.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×