.png){kind=small}
The awareness toolsets available to security professionals are among some of the best ever. They can provide great metrics, tracking, a variety of presentation formats, and even conduct campaigns. We as professionals have available to us a wide range of available software and services, ranging from very expensive high-end systems to some pretty impressive open-source products.
Given all this, you would think that employee security awareness would be at all time highs. Yet…
Security Awareness is still a major issue in most of the companies with whom I consult. Time and time again, I see programs that lack management/executive support, hanging on by a thread, grudgingly getting budget, and generally trying to do the best job of awareness training they can with what few tools they are permitted to use.
This is exacerbated by executives’ general invisibility at security awareness sessions. For some reason, executives suffer from the delusion that they don't need to know anything about awareness. When you consider that increasing, successful spear-phishing attacks against execs are on the rise, one has to question the execs' motives for their scarcity. Hubris, perhaps?
It is very well known that ACTIVE executive support of awareness programs is critical if the program is to have any real chance at success. And many regulatory mandates require that all employees (including temporary employees and contractors) receive periodic training in security awareness, and that such training be documented and retained for audit purposes.
October is National Cyber Security Awareness Month. If you get a chance, ask your execs if they know that. If not, then invite them to give a brief talk about the importance of awareness training to the next awareness program you conduct. If they accept, great. If they follow through, even better. If they don't accept or don't follow through, maybe it's time to update the resume.
By now, I am sure you are asking: "But what about the 33 years later heading?" Simple. In summer 1982, a colleague and I published a paper in the Association for Computing Machinery (ACM) Special Interest Group on Security, Audit, and Control, entitled "Security and auditability: mutually compatible objectives in the EDP environment" [1]. On the first page of the paper, we state "The basic underlying problem accentuating the need for security evaluation is the current widespread lack of security awareness."
Funny how some things don't change that much in 33 years.
[1] Authors: Richard Bowman & Paul L. Kendall, North Texas State University Published in: ACM SIGSAC Review, Volume 1 Issue 3, Summer 1982, Pages 35 - 47. ACM New York, NY, USA. http://dl.acm.org/citation.cfm?id=1317417&dl=ACM&coll=DL&CFID=721808337&CFTOKEN=66662959