In Depth
Employee Security Education: Pillars of Your Community
To err is human. But can you really forgive the security disasters a careless employee might bring to your company? Here's how to teach users that they're your company's best defense against information security breaches.
By Meg Mitchell Moore
Just as important as preaching accountability is practicing it. Luce notes that even when companies write such accountability into their policies, a lot of users don't pay attention. Senior management, he says, is prone to letting offenses slide. He recalls performing security audits at organizations with supposedly zero-tolerance policies that looked the other way when security breaches happened by accident. That, he says, is asking for trouble. "Human nature says you'll get away with whatever the minimal amount of work is," says Luce. "If you don't put something in place to force users to use real passwords, then they won't."
Scare tactics are a controversial way to guarantee compliance. Luce is an admitted fan of using horror stories when he conducts audits. "I do quite often use scare tactics, usually with a newspaper article about a lawsuit. That does a really good job on presidents and CEOs," he says. Apgar of Providence Health Plans also uses such a strategy, but cautions against relying on it too often. "I use horror stories judiciously," he says. He worries that too many tales of security gone wrong could turn him into Chicken Little. But he says he's not averse to telling senior management stories that hit close to home, like breaches that have happened in their own industry.
Bresler adds that he prefers to sanitize the story of something that actually happened to Pacificorp and make it public. "These things do happen and have resulted in dismissals," he says. Users who hear "this could happen to you" stories are more likely to take security policies seriously.
In the end, technology can do a lot to protect precious corporate assets, but it can go only so far. The rest is up to the users. "You can have a really nice garage, but if there's no door on it, it's wide open for a car thief," says Hughes. The harder the CSO works to make users the responsible stewards of corporate data, the safer a company will ultimately be.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
