Ongoing Awareness Communications and Regular Training Are Necessary For Effective Information Security & Privacy Programs

Scott Wright over at Streetwise Security Zone graciously invited me to do a podcast interview with him to discuss information security, privacy and compliance training and awareness issues. In the last half of February I had the pleasure of taking him up on his invitation!
You can hear the full podcast here.
Here are the notes Scott compiled about our discussion topics:

  • The disturbing trend of cutbacks leading to greater risks.
  • The need to do initial organizational assessments before applying security controls
  • Security inadequacies stemming from a “compliance” mentality
  • How technology-oriented business drivers are leaving security and privacy considerations behind
  • Why off the shelf products require increased focus on security awareness
  • Economic influences on employee likelihood of becoming insider threats
  • What types of cutbacks are organizations making that are potentially dangerous?
  • Rationalizing security as a “foundation” investment instead of an unnecessary expense
  • Compliance with regulations is not sufficient for most businesses
  • How are the most regulated industries doing with security and privacy?
  • How awareness affects quality and mistakes
  • How management’s skepticism about training becomes a self-fulfilling prophecy if they skimp on quality
  • How training quality can be improved
  • How much can you expect people to remember from a single class?
  • How to make training content stick over time
  • Why measurement of student retention is important in getting good results
  • How the Honey Stick Project relates to measuring security awareness
  • Rebecca’s “Protecting Information” newsletter’s metrics tips
  • The impact of being able to show metrics
  • What about the new US government’s position on information security and privacy going forward?
  • Should Obama be able to keep his Blackberry?
  • Electronic Health Records (EHR) and Medical identity theft
  • Rebecca’s eye-opening experience, and the importance of “knowing your audience’s motivations and objectives” when talking about security
  • Why executives aren’t hearing IT people’s messages about security
  • Innovative approaches to security training that have provided good results for Rebecca

If you listen to it, please let me know what you think! I always welcome feedback.

Tags: , , , , , , , , , , ,

Leave a Reply