Top four tips to improve your security program
- 18 July, 2012 10:01
Chief information security officers (CISO) should take a note from advertisers such as McDonald’s and make security awareness fun and rewarding, according to one security expert.
Speaking at the Gartner Security and Risk Management Summit in Sydney, Gartner US research vice president, Andrew Walls, told delegates that traditional security education programs do not work as people remember messages through entertainment rather than sitting in a room and “beaten over the head with a PowerPoint presentation.”
According to Walls, advertisers such as McDonald’s use messages to make sure everyone knows and remembers their product or service.
“Simply being aware of security risks is a waste of time because people don’t remember the risks,” he said.
“The security program has to be attractive and the user motivated to select the right choice.” Walls provided the following four tips for CISOs and IT executives when drafting a security awareness program.
According to Walls, security managers should pick two or three security behaviours that they want to change in their organisation such as `don’t click on phishing emails’, `don’t leave your computer workstation unlocked when you leave the desk’ and `don’t share your login details with another worker.’ “That’s the first nine months to a year of your awareness program. You have to work on specific behaviours, get them imbedded in the population, sustain them and then you can add more security behaviours over time,” he said.
Instead of blocking social media in the workplace, Walls suggested that security managers should push out security messages over social networking sites such as Twitter or Facebook.
“It’s a fantastic communications medium, if all your people are spending time on social media, why aren’t you talking to them on it?” he said.
“I work with a CISO who every Friday records a five minute video chatting about what was interesting in security that week and he posts it on YouTube. That company has over 60 per cent of employees hitting that video every week to watch it voluntarily.”
Instead of a costly security training session, Walls said this method involves a few minutes of the CISO’s time and an upload to YouTube.
Use Web proxy
According to Walls, security managers could use their company Web proxy as a security awareness tool. For example, if the user tried to access a blocked site, the proxy could redirect them to an internal security awareness site for an explanation of why certain sites are blocked. “Offer content, quizzes and other information to explain and reinforce your security policy,” he said.
Some security vendors were offering tools which re-direct users away from phishing emails to educational games so the person gets rewarded for choosing the right security options, said Walls.
“PhishMe has had enough success with their gaming approach that they are seeing employees come back to the game intentionally to play it,” he said.
“They are learning about security but at no point are the employees dragged into a boring training session.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Queensland government to provide 200 services online by 2015
Call Centers Suffer From Big Data Overload
CIO 100: Carsales wins top gong for innovation
How to secure passwords and other critical numbers
Australian National University streamlines IT
Advancing Customer Intelligence Capabilities in Asia-Pacific
Many Asia-Pacific organisations lack or are hindered in their ability to integrate, analyse, and extract insights from multiple internal and external databases. When it comes to big data, Asia-Pacific organisations lag behind the U.S. and Europe in data warehouse, business intelligence, and analytics investments. But don’t expect that to last. Download to find out the big shifts in marketing strategies to improve behavioural targeting and personalisation.
Unleashing the Power of Information
If business-relevant information is not well managed, secured and analysed, it can become an underutilized asset or—worst case—a legal and competitive liability. Nearly all of the IT and business executives who responded to a recent survey recognise this risk, and say they understand the importance of having an enterprise information management (EIM) strategy. Find out more on how to reduce costs, improve competitiveness and avoid risk by making information management an enterprisewide strategic priority.
Eight Simple Steps to Boost Campaign Results Using Predictive Modelling
Marketers today are consumed by big data, struggling to find meaning and under pressure to use that meaningful data in smart ways to boost results. But many organizations are reluctant to try and use predictive modelling in their campaigns, due to unfamiliarity and the dependence on complex tools – yet with modern, marketing-friendly modelling tools, integrated with campaign management, it is easier than you think. This whitepaper demonstrates how predictive modelling plays a critical role in streamlining the selection process.