Can you please tell me who in the company decides to invest in outsourced employee security awareness training? Is it the CIO, CSO, HR Manager or the CEO? Do they expect a measurable return on investment?
I agree with your opening statement that security awareness training is needed. Within the Government Agency that I support, such training is mandated on an annual basis for all employees and contractors.
As for who invests, the answer would be whomever controls the security budget. In many cases executives are looking for a measurable ROI for all security expenditures. I personally think that is the wrong approach. Security expenses should be looked at more so as an insurance policy: What are the potential losses that are avoided by spending money on security? Awareness training is just another valid expenditure in that area.
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in March 2003