I’ve been here at the CSI SX conference for the past few days, and I’ve had the great opportunity and pleasure of speaking with a large number of folks while here. I was finally able to meet Ron Woerner in person (nice to meet you Ron!) after communicating with him in the Security Catalyst Community over the past 1+ year.
I love coming to these conferences and just talking with the participants. There is always at least one topic for which I receive enlightenment that I had not considered before. During the past few days I’ve spoken with 4 to 5 people who are responsible for information security, all from highly regulated industries, who all say despite their adequate to even generous information security and privacy budgets, some of their most important information security and privacy efforts are being quashed by their corporate communications offices; those responsible for the messages that are sent to personnel throughout the enterprise.
“How?” you ask?
The first person I spoke to back on Sunday that brought up this topic said, “I have plenty of budget and resources. However, we really need to get the word out to our employees about how our employees need to work in a way that safeguards information more effectively. The problem is, whenever we want to send communications, we have to go through the corporate communications department. Each time they tell us “NO, we’ve already met the quota for messages to send to employees this month.””
Wow.
And then, being curious about this issue, I brought it up to several of the new folks I met over the past day or two, and found around 4 – 5 more people who said basically the same thing!
It is a very sad situation, and a horribly poor management decision, to not allow communications to go out to employees because the “quota” of messages have already been sent for the month!
Talk about a frustrating situation; to have enough budget, but then to get your hands tied and voice gagged by a corporate communications department that makes decisions based solely on numbers, and not on the business issues and topics the communications cover.
Based just upon the significant number of people who told me about this situation out of the relatively small number of people I’ve met and talked to, this must be a widespread situation…or is it?
Do you have to go through a central corporate communications area to distribute your information security and privacy awareness communications? If so, what have been your experiences?
This is definitely an area I want to look into more. I did not find anything of about this during a quick search. It sure would be a nice study to perform…if I had the time and resources!
Hey, any vendors out there want to sponsor this study? 🙂
Tags: awareness and training, awareness communications, corporate communications, Information Security, IT compliance, policies and procedures, privacy, privacy compliance, risk management, security awareness, security training