Having security policies are great, but it doesn't help if the employees are not aware of them. To properly enforce these policies, the company should provide security awareness training.
Can you please tell me who in the company decides to invest in outsourced employee security awareness training? Is it the CIO, CSO, HR Manager or the CEO? Do they expect a measurable return on investment?
I agree with your opening statement that security awareness training is needed. Within the Government Agency that I support, such training is mandated on an annual basis for all employees and contractors.
As for who invests, the answer would be whomever controls the security budget. In many cases executives are looking for a measurable ROI for all security expenditures. I personally think that is the wrong approach. Security expenses should be looked at more so as an insurance policy: What are the potential losses that are avoided by spending money on security? Awareness training is just another valid expenditure in that area.
For more information on this topic, visit these other SearchSecurity.com resources:
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.