What we achieve together: building the corporate security culture
The primary objective of information security is to achieve positive business outcomes. Security awareness alone achieves almost nothing: the payback comes through improving information security in three ways:
Cost reduction e.g. incidents and compliance failures that are less frequent and less serious;
Increased assurance e.g. a more confident management making bolder business decisions, knowing they can depend on strong security arrangements;
Increased efficiency e.g. employees know they should get specialist help with complex information and IT security matters, and know who to ask, while the professionals
appreciate their advisory role and are keen to help.
Informing people about information security merely increases their knowledge. They also need to be motivated, given opportunities and encouragement to ex
ploit the knowledge and change their ways, for example making better decisions, avoiding or reducing risky behaviors, and responding to incidents. Of these two, motivation is by far the bigger challenge.
“I wanted to drop you a note to say how impressed I am with the information provided – a huge boon to our security awareness programme. I’m
obviously biased and will probably read every last word, compared perhaps to wider take-up; but I also wanted to compliment the scope of material, which feels much broader than security and will
have equal benefit in other business areas such as our quality and compliance programmes.”
Phil Geens, Information Security Manager, Instem
We are often told how important it is to establish a security culture - easier said than done! NoticeBored goes beyond merely providing awareness content. We
promote understanding of and commitment to information security among your employees, helping you generate and sustain a security culture by socializing security
. Bringing the underlying security messages to life, making them interesting and relevant, encourages employees to think and chat about the monthly topics.
This is the key reason why NoticeBored addresses staff, managers and professionals in parallel, supporting their differing perspectives on the same
subject ... but that’s merely the start. In ways that are hard to predict or control, information security stories can take on a life of their own - for example, an
employee who spots a TV news item about a major credit card incident might mention it to colleagues over coffee. Through the privacy, identity theft and
compliance awareness modules, they will all have had a grounding in the basic concepts, leading to a more informed and enlightening discussion. Managers will
know something about the strategic, governance and compliance aspects (e.g. PCI-DSS and privacy laws), while professionals will appreciate the practical
constraints on securing credit card and other personal data through technical controls. Without awareness, nothing gels.
Over time (and yes, cultural change inevitably takes time), each interaction, each piece of information, each awareness topic and event builds a
generalized appreciation of information security - what it is about, what it means, why it is important both for the business and the employees -
throughout the entire organization, and that in turn influences the way people behave. In contrast to more limited approaches, a NoticeBored awareness
program actively exploits social interactions and corporate social networks to spread the word far and wide. That’s part of what makes NoticeBored unique in the security awareness market.
One further example illustrates the value of awareness. High safety levels in the aviation world are no accident: safety has been systematically improved
over decades thanks to learning from all kinds of incidents and near-misses. Clearly, incidents and near misses must be brought into the open in order to
learn from them, but the enormous human, economic, legal and even political implications are strong reasons to keep them hidden. Whereas formalized accident reporting and follow-up mechanisms are important, the safety culture that pervades the entire industry is crucial. The medical industry is
tackling the same challenge right now: covering-up medical mistakes may suit those responsible but the blame culture is unhealthy. The parallel with information security is obvious ...