Only after being approved by FSB's steering committee do infosec policy or procedure changes get implemented across the company. "My job is to inform [the executive team and business sponsors] about what we can do and what the process would be if we made the changes," Meade says. "Because we're a small firm, we can make modifications as the technology changes."
Most organizations aren't as nimble as FSB and don't update security policies often enough, and many don't test-drive changes to gauge what's effective and not too cumbersome, says Forrester's Mak. "You don't find a lot of organizations doing the right amount of testing to identify vulnerabilities, so there's not an accurate understanding of what the effect is on the environment from the human side," he says.
Mak advises companies to create security awareness programs that not only provide direction to employees, but also underscore the importance of embracing a serious security culture.
Getting users on board
That approach will soon to be in place at Fay School. Like the Bank of Labor, the school makes frequent minor updates to its infosec procedures to keep up with emerging threats but enacts major policy changes only a few times a year to avoid overwhelming users, says Joseph Adu, director of technology at the Southborough, Mass., private school, which serves grades pre-K to 9. Abu, who came on board a year ago from the for-profit sector, is drawing on his experiences in the business world as he develops the school's IT policies. Among other things, he's making a concerted effort to help employees feel invested in security.
This academic year, the school's 150 staffers and faculty members will take part in both in-person and digital training sessions that will be repeated annually to cover important infosec policy changes, Adu says. In addition, a new plan in effect this year calls for new employees to undergo security awareness training as soon as they are hired. Infosec training will also eventually be incorporated into the school's new-hire orientation process. That means newcomers will know right off the bat that sharing personal information en masse via email is prohibited, and they will understand how the school classifies particular types of data and why, among other things.
The hardest part is getting people to realize that a lot of responsibility falls on them as end users.—Joseph Adu, director of technology, Fay School
Adu says presenting security policies at the point of hire is a way of indoctrinating users into the corporate culture and makes them feel accountable for upholding security best practices. Also, people are generally more open to direction when they first come on board, so they're more likely to accept and abide by the policies. (The school also holds short training sessions for its 400 students to cover security basics, such as a rule against sharing passwords.)
Sign up for CIO Asia eNewsletters.