free page hit counter

White papers
Click banner for site map
Building a security culture

Quote from Darci Riesenhuber of tompeters!company

 

Introduction

Having an information security policy is not sufficient. “To have even the slightest hope of success, the policy must achieve some level of visibility” said Tom Peltier in his book Information security policies, procedures and standards. Information security has to become second nature for employees i.e. an inherent part of the corporate culture, as natural as wearing a seatbelt in a car. “The goal is to establish and maintain an organizational culture where information security is second nature to all employees” said Deloitte’s 2005 Global Security Survey. .Security should be everyone's responsibility - it's not (just) about security guards or bodyguards

What’s needed is a cultural change - a completely different approach.

As NIST puts it, the fundamental value of security awareness is to create “a change in attitudes which change the organizational culture . The cultural change is the realization that IT security is critical because a security failure has potentially adverse consequences for everyone. Therefore, IT security is everyone’s job.

Our approach

We provide both the materials and the creative energy for your security awareness program. NoticeBored reaches, informs, educates and engages your employees. Individual security topics are covered in bite-sized chunks. The action-oriented motivational language directly addresses staff, managers and technologists, giving them guidance and advice relevant to their respective roles. Employees see and hear consistent messages in several places (including reminders from their managers), each one reinforcing the last. They even have the chance to get involved, perhaps entering a security awareness competition to win a worthwhile prize or maybe just speaking to the IT manager about the campaign. Taken as a whole, these activities build a widespread genuine awareness of information security.

“An effective security-conscious culture happens only through sustained efforts”

Sekar Sethuraman

Cultural change takes time, hence one-off or short-term awareness and training activities are doomed to fail. Would you seriously contemplate teaching someone to drive a car safely in just one 30-minute “training session”? Yet this is essentially what many organizations try to do with their information security programs.  NoticeBored supports a continuous, rolling program with new material every month. Important information security awareness messages are reinforced through repeated exposure. Techniques borrowed from the field of advertising create awareness of the information security ‘brand’.

For more information, please read our white paper “Why security awareness”.
NB homeFreebies > Building security culture >

Copyright © 2008 IsecT Ltd. and licensors