It's almost a cliche that end-user awareness of security issues is critical to keeping a company secure. But recent...
research from the Meta Group confirms it and offers suggestions for improving the situation.
The Stamford, Conn.-based research firm found that more than 75% of companies see the lack of user security awareness as detracting from their security programs. About two-thirds of companies see the lack of awareness among executives as having a similar impact.
Teaching users about security is not an easy task. Security professionals tend to be more comfortable fiddling with firewalls or installing intrusion-detection systems than educating end users about safe computing practices. Moreover, management doesn't usually expect security professionals to be skilled communicators.
"Most organizations will fail to successfully secure their technology environment simply because the security staff lacks the communication skills to create this shift in corporate culture," said Meta in a statement.
While the awareness problem is nothing new, answers aren't obvious. Some organizations go so far as to make awareness programs a requirement, but few of these programs are funded, according to Meta.
A good way of measuring security staffs' communication skills is to look at how well users understand corporate security policy and safe computing practices.
Helping security pros develop those skills requires a supportive corporate culture and years of investment. For example, communication skills should be considered during the hiring and annual review processes, much as technical skills are.
Obviously, having employees with solid technical skills is important, but "the importance of communicating security policy to end users is critical to obtain their cooperation in security initiatives and therefore should not be given short shrift," Meta said. "As security teams focus on policy and audit/compliance, the success of those security initiatives depends on obtaining cooperation from end users, executive management, and IT and business managers."
Dig Deeper on Security Awareness Training and Internal Threats-Information