Why are security awareness programs so rare?
By Canadian SecurityFeatures Opinion
Security awareness as defined by the Protection of Assets Manual “is a state of mind when you’re conscious of an existing security program and its relevance to your behavior, as well as the effect of your behavior on reducing security risks”. Everyone who is part of a particular enterprise, should be responsible for such. I believe that while most people understand logically its importance, many fewer people have actually incorporated security awareness into their day-to-day work related activities.
The benefits of a security awareness program are many. Here’s a list of 11 to consider:
A good awareness program:
1. Can help protect company assets;
2. Should show the connection between the security program and the success of the enterprise;
3. Inform employees of their security obligations;
4. Connect the program objectives with specific countermeasures;
5. Identify resources to assist in security conformity;
6. Comply statutory or common law requirements with notification;
7. Comply with regulatory measures;
8. Comply with contract obligations;
9. Help prepare the organization for emergencies;
10. Reduce organizational liability; and finally,
11. Communicate the value of the security department.
I suspect the reason why good awareness programs are few and far between is that they are not created, supported or promoted enough within organizations by the security group. When was the last time you attended a conference on creating a good security awareness program? This is certainly not the general topic of conversation between security managers. Have you ever walked up to a fellow practitioner and asked him or her to share security awareness strategies? However, their value, in my opinion, is vastly underrated. For the standard security manager to take the time to identify the aforementioned 11 reasons and articulate how their program meets those benefits, would show a tremendous amount of thought, research and work. It would, in my opinion, also help the security manager clarify what exactly they are doing in the way of creating a comprehensive security management strategy and then implementing it.
There are also three rules around the effective implementation of a security awareness program. First and foremost, employees are expected to know the rules. Second, employees are required to follow those rules.Third, employees are required to enforce the rules. Can you imagine if your organizational security group was able to create a security awareness program around the 11 reasons I have articulated? Taking that one step further, how effective would the entire organization be if all employees followed the three rules of security awareness? While I recognize that this might create some work for the security group it should actually make some things easier in the long run. When you take a good look at those 11 reasons for having a security awareness program, it becomes obvious that they will help the security manager define, guide and clarify the direction of their program.
Using #4. ‘Connect the program objectives with specific countermeasures’ as an example, the security group should take a good look at each of their security countermeasures to determine their value and effectiveness to the organization. There are far too many security countermeasures that are not tied to specific objectives. They often belong to what I call the ‘shotgun’ approach to security countermeasure implementation. That is, if you put enough ‘lead’ out there, some of it is bound to be effective and hit something. This is fine when the lead is cheap but not so much when a single security countermeasure can cost hundreds of thousands if not millions of dollars.
Does one run the risk of over promotion and being accused of trying to take over the company or putting the security agenda ahead of the organizational needs? Maybe, but that the risk one faces when they put together a really good security program anyway.
As we all know, the primary objective of a good security program should be that of a business enabler. The security program is there to help the organization be successful. By meeting all those reasons I cited, it should be automatic that the security group will meet their primary objective. If security is not helping the organization be successful then a review is necessary to determine what is wrong and hopefully determine how to fix things.
Print this page