Implementing a security awareness program seems rather straightforward, until you actually start to implement one — factoring in things like resources and the people (users) to be trained. At that point, it can seem complicated, costly, and unnecessary. However, the process doesn't have to be a logistical and expensive nightmare, and it's certainly worth it in the long run.
Organizations both large and small have implemented awareness programs for next to nothing, and while they're not perfect, many of them are able to show measurable results. The key to these successes however, is based on understanding what it is that the organization is actually trying to accomplish.
While doing topical research for this story, CSO discovered a common thought among the experts and executives that were consulted, including some who spoke to us during two regional security conferences this summer (B-Sides Detroit and CircleCityCon).
Often, executives view security and business as two separate items, and while this point-of-view is changing, it takes effort to get some executives to commit to security and make it part of the business overall.
When this happens, tangible security needs such as license renewals, support and service contracts, firewalls and other appliances all of those are things that executives understand. However, awareness training, to the executives at least, seems like an extended version of general security training, and there just isn't money for something like that.
At the same time, there's also a shakeup happening — thanks to a seemingly endless stream of data breaches this year that have placed several large companies in the headlines. The result of this shakeup is fear, and sometimes fear has a way of producing the budget needed to strengthen security. In some circles, this additional funding opens the door to the development of security awareness programs.
Is awareness training really needed?
Security awareness training is something that can cause a good deal of debate among experts. Some agree that it's needed; others will call it a waste of time and resources.
Dave Aitel, in a column for CSO, expressed an opinion that such training wasn't needed:
"Instead of spending time, money and human resources on trying to teach employees to be secure, companies should focus on securing the environment and segmenting the network. It's a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization.
"Because they're going to do so anyway, so you might as well plan for it. It's the job of the CSO, CISO, or IT security manager to make sure that threats are stopped before reaching an employee—and if these measures fail, that the network is properly segmented to limit the infection's spread."
Sign up for CIO Asia eNewsletters.