Security awareness is a delicate thing, not something to be forced. It takes skill in selling the awareness message in such a way that people want to learn it.
Most agree information security awareness is an essential element of security management, but the effort doesn't always translate into practice. Arnie Bates, information security officer at insurer Unum, puts the current dynamic crisply: “People say your talk was more interesting than they thought it would be. The trick is to get them there in the first place.”
Users often understand they should be more aware, but this doesn't motivate to attend awareness sessions, and until motivation is achieved, awareness programmes lack impact. Arnie Bates, who spends 30 per cent of his time improving awareness across his organisation, believes developing the ability to truly influence users represents a career opportunity for security professionals. Bates adds that Unum's security awareness programme also provides a feedback mechanism.
“To be effective, awareness training has to be a voluntary exercise. This takes skill in selling the message,” he says, adding that professionals' instinct to network is essential for developing techniques and ideas. Bates regularly attends networking groups, including the Security Awareness SIG.
He sees awareness as an area that forces a distinction between IT and IS. “When done well, it begins with an assessment of the risks to information rather than the IT systems, those handling the information and what they need to know to protect it.” For Unum's 1,000 employees, as they are in the financial sector, security knowledge is developed through a balance of security awareness training and regulatory expectation. Programmes are tailored to the audience – technical specialists have a different requirement than those working with sensitive medical information. Training exercises are supported through communications, poster campaigns and internal forum discussions.
“When we do a road show, I work with a committee of stakeholders in business units to ensure we create something relevant. We explain the purpose of controls and pull in outside experts to make the programme as interesting as possible,” Bates says.
A recent event included local police crime-reduction officers and a penetration testing company, who set up stalls to demonstrate identity marking schemes, share experience of local data theft and offer advice on securing home networks and portable devices – “something everyone can identify with”, says Bates. “We are not just communicating knowledge, we are engendering interest.”