Information Security Process: Security Education
August 29, 2013
Information Security like all relationships requires time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and recovery easier and faster.
Security Education is always an interesting topic for me to espouse. This can be done in large meetings with power points, white boards and boring speeches, just to show that you have exposed every employee to the magic of security. Another alternative are the various online materials which employees can use on their own, the more interesting piece is that your employees can refer back to these materials when they are actually useful.
Another way to avoid the large auditoriums and conference rooms full of employees who would rather be working and helping the company keep and create new revenue is to hold small short meetings with the various teams and if there needs to be longer discussions break those into several small 15 minute meetings. Getting directly to the specific points, flaws and how they can best keep your company information accessible, correct and private. This of course requires you as a security professional to spend many more hours preparing different presentations and holding many more meetings, spending much more time talking than the standard several hour big speech which usually causes more confusion and glazed expressions than a better security posture for your company. This method also lets your coworkers know that you are available if they have any issues, or questions.
The educational points on which I like to focus are that security is each persons responsibility, and as they say in New York "If you see something, say something". These general speaking points can be tailored into relevance for almost every group. I also try to let them describe what they feel are the relevant security issues in their departments, doing this twice once at the beginning of the presentation and then at the end after they have had a chance to hear why you think the various pieces of their job are important.
A few don'ts about your presentation, don't try to prove you are an expert in their field, don't try to be their friend, and don't over simplify your requirements.
I hope this is helpful, just a few tricks that I use every day when I do my various roles as a security professional.
Another way to avoid the large auditoriums and conference rooms full of employees who would rather be working and helping the company keep and create new revenue is to hold small short meetings with the various teams and if there needs to be longer discussions break those into several small 15 minute meetings. Getting directly to the specific points, flaws and how they can best keep your company information accessible, correct and private. This of course requires you as a security professional to spend many more hours preparing different presentations and holding many more meetings, spending much more time talking than the standard several hour big speech which usually causes more confusion and glazed expressions than a better security posture for your company. This method also lets your coworkers know that you are available if they have any issues, or questions.
The educational points on which I like to focus are that security is each persons responsibility, and as they say in New York "If you see something, say something". These general speaking points can be tailored into relevance for almost every group. I also try to let them describe what they feel are the relevant security issues in their departments, doing this twice once at the beginning of the presentation and then at the end after they have had a chance to hear why you think the various pieces of their job are important.
A few don'ts about your presentation, don't try to prove you are an expert in their field, don't try to be their friend, and don't over simplify your requirements.
I hope this is helpful, just a few tricks that I use every day when I do my various roles as a security professional.
.wdnii.
© 2013 Norris Proprietaries Inc.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.