Employees should be able to apply a level of risk management in order to protect the business and themselves.
Speaking to SC Magazine, Amar Singh, News International CISO and chair of the London Chapter security group of ISACA, said that staff awareness and training were huge opportunities to invest in.
He said: “I think the balance in running an awareness campaign is all good, but engaging with the user for what is information security is the main thing. If I can engage and can have a framework or process that every user can engage with me, I believe I can increase awareness by doing that.
“The problem is with training and awareness. Someone I spoke to said they achieved 90 per cent awareness with an exam every six months, but if that is the only measurement of success, then people just click through.”
Singh said that in his role at ISACA, one of his objectives was to increase awareness in information security, especially in schools where nothing was being taught. “I want to spread and engage with people on information security, as I want to engage my users so I can make the awareness much more effective,” he said.
Singh said that he is currently trying to convince users to adopt a policy by talking to people face-to-face for the top five things for News International, as exams statistical key performance indicators have no real level of engagement.
In terms of what he was training on, he said that this was "in every possible way" on spear phishing, social networking and removable media, as users need to know what threats look like.
He said that he came in ‘post incident' and was working with the company's data protection officer to build a security division.
Asked if he felt that it was hard to drive security home to people who were not security conscious, Singh said it was "definitely a challenge", as the younger generation are easier to engage in these issues.
“They may not appreciate security, but they are more tech-savvy than ever before and they know how to use the basic technology,” he said.
“The challenge here is that they may understand technology but they may not agree with it. A simple example is to share, but ask yourself if you want to share less, as the media is full of stories of people who do the wrong thing.”
He said that trying to build a risk-based culture should involve applying risk to everything you do, as today everything is everywhere. He concluded by saying that security should be as transparent as possible, but users should be able to step up to the plate.
“I am not saying get rid of controls, let them do what they want but offer training on password management and if you see constant issues with a user, you can offer further training and awareness,” he said.