October 28, 2011 by Carsen
“How often should we conduct security awareness training?”
I was asked the question this week from a director at a Fortune 500 company. There are several answers to the question, and while every organization approaches training a little differently, I was happy to provide my thoughts regarding the subject.
The innovative way to approach security awareness training is to make it a part of the organizational culture. Incorporate security awareness as an ongoing plan for continuous improvement.
For simplicity, consider starting with a basic course that every employee must take. For a more complex and dynamic approach, have executives, managers and IT staff complete a role specific course before rolling out the basic course to the rest of the employee base. No matter the direction you take: be sure to establish a target end date to keep the project on schedule.
Unfortunately, I more commonly see organizations use a one-time-per year approach. This is usually the result of an internal audit that highlighted the need. Security awareness training becomes an afterthought and the annual due date for completion looms until year-end when management needs a quick-fix answer to meet its deadline. Consequently, there isn’t any time, energy, personnel or resources invested into the project .
Often the IT department is tasked with the overall management and execution. In the end, what is accomplished is a band-aid that will almost definitely need replacing again next year.
There isn’t a right or wrong answer to the question above. The goal should be to provide continuous training and reinforcement of basic security awareness principles. This will help minimize company risk and exposure to breaches. A company’s greatest risk of potential data loss is, after all, human error. And the best way to protect your organization and your employees from human error is to provide proper comprehensive training.
Once you’ve found the proper security awareness plan…… what’s next?
October 27, 2011 by Carsen
Still tracking and reporting security awareness by spreadsheet? Stop Now!
How many hours have you spent on spreadsheets tracking employees, partners and contractors with compliance training only to keep updating the spreadsheet?
With all the advancements in technology and security awareness and compliance training over the past 10 years, I am still amazed by how many small to large enterprises worldwide are still stuck using spreadsheets to track and report on such an important training initiative.
Thinking about the internal resources dedicated to support this venture makes my head spin. What must this cost? Can it be measured accurately? If I had this time back how much more productive could I be? These are just a few of the questions I’ve heard clients say they ask themselves over the past few years.
Most off-the-shelf and some custom security awareness training solutions include a way to track and report on the progress of your end users. Most will allow you to also send emails to those who have not started or completed training and send report results to managers or key stakeholders involved in the success of the project. Surprisingly, there are affordable options for you to choose from.
In the end, Security Awareness shouldn’t be expensive - it should be effective! It should cover the basic topics. It should apply to everyone in the organization and be simple to deploy. It should be manageable from an enrollment, tracking, reporting, reminder and ongoing awareness perspective.
Run a quick report to find users who have not started or incomplete.
With just a few simple clicks of the mouse, quickly generate a report that is up-to-date and accurate. Free yourself of the inefficiencies of managing a big bulky spreadsheet and find a process that can be automated for you.
1) Is your tracking and reporting process taking longer than expected?
2) When faced with an audit, are you challenged to produce records quickly and accurately?
3) Have you thought there must be an easier and more affordable way?