Over the past couple of weeks I’ve heard three different information security and privacy officers talk about making information security and privacy training within their organizations optional…not required…for personnel who have access to information assets and personally identifiable information (PII). Leaving training to the discretion of employees is very risky!
Personnel, including employees, contractors and third-parties with access to information assets, should be required to participate in information security, and privacy, training on a regular basis.
There is no more effective information security and privacy defense than informed and aware personnel. Humans are the weakest link in the information security and privacy defense program. But, informed personnel who actively safeguard information, can also be your strongest defense.
Building a culture of performing job responsibilities with information security and privacy in mind, every day, will help to dramatically reduce the number of security incidents and privacy breaches, and will bring a much greater return on a comparatively small investment (of minimal time and modest dollars) than any expensive technology system can deliver.
If just the risks of Internet use and mobile computing alone are not enough to convince you to implement information security and privacy training and ongoing awareness communications, perhaps it is more compelling for business leaders to understand that training is required by a growing number of laws, regulations and industry standards. And if you have business partners, I wouldn’t be surprised if you also had contractual obligations to provide training.
And to determine effectiveness, as well as demonstrate due diligence, active participation in training events should be documented and tracked. Providing mandatory training, and logging participation and related activities, establishes responsibility for information security and privacy action on the part of the training participants.
I’ve been creating information security and privacy training and awareness programs, and writing about how to successfully do it, for the past couple of decades. I have written a current series of articles on the topic for Cutter, and the first article, “How Information Security, Privacy Training, and Awareness Benefit Business,” was recently published here.
If you do not subscribe to Cutter and you’d like a PDF of the article, let me know and I can check and see if I can send you a PDF copy.
Tags: awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training