Success strategies for security awareness

A corporate security-awareness programme aims to make all the employees understand and appreciate not only the value of the company's information assets but also the consequences if these assets are compromised. In theory, the process is straightforward and painless. But as every IT/security manager knows, in real life, an awareness programme can be a monstrous headache -- especially in a large enterprise.

How do you start off on the right foot when implementing a security awareness programme? How do you determine what tools will be effective in your organisation? And the big question is: how do you make everyone aware? Our security experts offered a number of simple yet often overlooked strategies.

Do your homework
According to Lena L. West, chief executive of xynoMedia Technology, before you start drafting a security protocol, you need to know as much as you can about the environment. The two main areas you must look into are:

How people actually use the systems and for what purposes -- "This is the most overlooked area when drafting a security protocol," said West. "If the IT manager does not understand how the company is using the systems and what they use it for, it's hard to determine security levels."

Who has access to what and why, and who needs access to what and why -- "The two lists should be cross-referenced to determine if the correct individuals have the correct access," West added.

West further stressed: "It's important for the IT manager to know how the company is using the information and she/he must also understand the dynamics of their particular industry… because security measures will not be the same at a financial institution as they would at a construction company."

"Recent HIPAA and FIPAA legislation demand higher security measures. The IT manager should do due diligence to determine exactly what's required by law and build from there. A healthcare institution may want to implement audit trails on network resources. If a file is missing, copied, or deleted, it would be important in that industry to know who did it and when. This may not be as important at, say, a bakery."

Monique Shivanandan, vice president for IT Strategy, Security & Business Continuity at BellSouth, advised that the security manager must be versed on corporate goals, initiatives, and policies. "The manager must also understand the employee universe -- the size, the makeup, the management style, and the corporate culture."

Get it from the top
E. Kelly Hansen is the chief executive of Neohapsis, an information security consultancy and enterprise product-testing lab. She stressed that executive buy-in is paramount. "Without a corporate leader visibly backing the programme, people are not going to be as eager to participate. Training takes time away from people's regular job functions. In a day in which many companies are understaffed, training doesn't seem to be a valuable trade-off. Tyranny of the urgent rules most organisations. Without visible executive stewardship, information security awareness programs are doomed to fail."

Likewise, West said: "The IT manager needs to understand that technology is still seen as a necessary evil. If there is no buy-in from the top -- c-level and down -- there will be no support of the initiative from upper management down to staff."