Here’s a good article for all information security and privacy pros to read and show their business leaders. If nothing else show them the last paragraph:
“Security awareness programs also offer a high rate of return, Tippett said. “Employee training sometimes gets a bad rap because it doesn’t alter the behavior of every employee who takes it,” he said. “But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn’t that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?””
Can I get an “Amen!” to that!?
Most information security and privacy incidents are a result of human mistakes, unawareness, and malicious intent. Effective, and more, training and awareness will reduce the number of incidents.
What I don’t like is the sensationalistic article title, “Antivirus Inventor: Security Departments Are Wasting Their Time”
I know the writer probably chose this title to catch the attention of information security and privacy practitioners, but if a business leader sees it s/he will just say to themselves, “Yup! I knew we were spending too much on security” and not read the article. Consider leaving off the title before you pass this on to your business leaders.
Tags: awareness and training, Dark Reading, Information Security, IT compliance, Peter Tippett, policies and procedures, privacy, privacy policy, risk management, security awareness, security training