Information security is everyone’s responsibility, including the travelling sales representative, the mail room manager, the customer service associate and the CEO. For a security awareness program to be truly effective, everyone in the organization must do their part to promote security. Senior management and boards of directors must ensure the organization’s culture puts a priority on security.
Also published as part of an article in CSO Magazine Australia, by Sue Bushell (10 of the Best for Security, 8 March 2006)
The Global Information Security Survey of Ernst & Young cited “lack of security awareness by users” as the top obstacle for effective information security.
There are several critical success factors to attaining a security-aware culture, including:
- A formal security awareness policy that defines the appropriate safeguards and security procedures must exist.
- Executive management support for the security awareness program is crucial.
- “Security-positive” behaviour must be one of the criteria upon which employees are evaluated.
- Security awareness activities must be part of a continuous process – not a one-time effort.
- The target audience of the security awareness program must include visitors, consultants, external staff, business partners and others that interact with the organization.
- The effectiveness of the program must be measured.
Security awareness initiatives are part of an overall information security management program. Crucial in this is the existence of a formal security awareness policy that translates the security strategy and defines the appropriate level of security and safeguards by means of a security policy document, security standards and security procedures. Equally crucial is the existence of a well-structured information security organization with sufficient authority.
See also my book – Security Awareness: Best Practices to Serve Your Enterprise – available in the ISACA bookstore.