Top four tips to improve your security program
- 18 July, 2012 10:01
Chief information security officers (CISO) should take a note from advertisers such as McDonald’s and make security awareness fun and rewarding, according to one security expert.
Speaking at the Gartner Security and Risk Management Summit in Sydney, Gartner US research vice president, Andrew Walls, told delegates that traditional security education programs do not work as people remember messages through entertainment rather than sitting in a room and “beaten over the head with a PowerPoint presentation.”
According to Walls, advertisers such as McDonald’s use messages to make sure everyone knows and remembers their product or service.
“Simply being aware of security risks is a waste of time because people don’t remember the risks,” he said.
“The security program has to be attractive and the user motivated to select the right choice.” Walls provided the following four tips for CISOs and IT executives when drafting a security awareness program.
According to Walls, security managers should pick two or three security behaviours that they want to change in their organisation such as `don’t click on phishing emails’, `don’t leave your computer workstation unlocked when you leave the desk’ and `don’t share your login details with another worker.’ “That’s the first nine months to a year of your awareness program. You have to work on specific behaviours, get them imbedded in the population, sustain them and then you can add more security behaviours over time,” he said.
Instead of blocking social media in the workplace, Walls suggested that security managers should push out security messages over social networking sites such as Twitter or Facebook.
“It’s a fantastic communications medium, if all your people are spending time on social media, why aren’t you talking to them on it?” he said.
“I work with a CISO who every Friday records a five minute video chatting about what was interesting in security that week and he posts it on YouTube. That company has over 60 per cent of employees hitting that video every week to watch it voluntarily.”
Instead of a costly security training session, Walls said this method involves a few minutes of the CISO’s time and an upload to YouTube.
Use Web proxy
According to Walls, security managers could use their company Web proxy as a security awareness tool. For example, if the user tried to access a blocked site, the proxy could redirect them to an internal security awareness site for an explanation of why certain sites are blocked. “Offer content, quizzes and other information to explain and reinforce your security policy,” he said.
Some security vendors were offering tools which re-direct users away from phishing emails to educational games so the person gets rewarded for choosing the right security options, said Walls.
“PhishMe has had enough success with their gaming approach that they are seeing employees come back to the game intentionally to play it,” he said.
“They are learning about security but at no point are the employees dragged into a boring training session.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Five trends affecting legal CIOs
CIO Roundtable: The changing face of security
Bitcoin malware count soars as cryptocurrency value climbs
Bouncing Back From CIO Unemployment
Union slams latest fibre-to-premise trial in Tasmania
Embracing Behaviour-Based Pricing Models
The telecommunications industry is one of the most challenged, fast-moving and evolving industries thanks to the worldwide embrace of mobile lifestyles that demand new services, solutions and experiences. In this survey, we investigate where and how new thinking around data, analytics and the actionable customer intelligence can further monetise mobile subscribers. Click to download!
‘A Little Extra Service’ Raises Customer Satisfaction and Lowers Costs
Companies are responding to the digital generation’s preference for online support, with new channels like Live Chat and Email Management. These mobile-friendly solutions give customers the right answers at the right time, when self-service just isn’t enough, and phone calls are undesirable. Read about these new touch points and the importance of a personalized web self-service.
Forrester Research: Total Economic Impact Of The Management Suite
This paper presents a framework to evaluate the potential financial impact of the User Virtualization Platform on organizations having shared server-based computing environment.