Dr. Peter Lokhorst is Managing Director of InfoSecure BV, which is currently in seven countries and provides awareness training programs to international clients including Procter & Gamble, European Central Bank, Deutsche Telecom and Bayer.
In this interview he discusses the value of security awareness programs, the challenges involved in teaching employees, and provides advice to CISOs interested in introducing security awareness training into their organization.
Lokhorst will be speaking about innovative formats for awareness at ISACA’s North America CACS conference in April.
Some argue that security awareness training is a waste of money, while others find it invaluable. Where do you stand?
If you approach the awareness training as a single and one-time activity for the employees, I fully agree that it is a waste. It has very limited value if you train employees on the issue of security just by confronting them with the best practices and dangers once.
What you want is a change in behavior of individuals and a cultural change in the company as a whole. To achieve this goal, you must repeatedly confront employees with possible threats and show them best practices. Also, the role of the managers is crucial. It is important to train trainers in their role and be sure that they practice good behavior on a day-to-day basis. Safety is not about knowledge in most cases, but it is all about “awareness” in the true sense of the word. You only reach a higher level of awareness if safety is an issue that repeatedly is discussed and addressed.
BYOD and teleworking have changed the corporate landscape substantially. What specific challenges do companies face when doing security awareness for an increasing mobile workforce?
Awareness and the human aspect are becoming more and more important. As an organization, it is not enough to protect your internal network and data with a firewall and other technical measures. The behavior of your employees, when bringing their own devices, is much more important. Are they aware of what the internal regulations are related to copying data to their own devices or using them for business e-mail?
From the findings of the ISACA’s 2013 IT Risk/Reward Barometer, we learn that, for instance, in the US only 31% of the consumers see it as a real risk. In the UK, this is not even a quarter of all consumers. Consumers are also employees.
So, it makes clear that procedures must be installed and formalized regarding business use of tablets and smartphones. People have to be aware of the dangers, not only because they use their own devices for work, but also because they work in all kinds of public places with their devices. Working outside the office also requires other security behavior.
What are the pros and cons of outsourcing security awareness training instead of doing it in-house. Based on your experience, what brings better results?
A good combination of in-house and outsourced training gives the best results. Awareness training needs a professional approach with an expert. On the other hand, if you don’t develop a good internal program and repeatedly emphasize the importance of discussing the work floor day-to-day security issues, it will never bring a cultural change in your organization.
The different management levels should show they take security seriously. If your manager has his desk full with documents all the time, how will the company ever succeed in a clear-desk policy? You can outsource the development of your internal training, but involve the management and give them a lot of responsibility related to internal communication.
What advice would you give to a CISO interested in introducing security awareness training into a large organization? What’s the best way to approach such an endeavor?
Ensure that everyone is introduced to security-related procedures during the on-boarding period with an e-learning program. After that, select several ways to address security best practices frequently via different ways: a video integrated in your internal intranet e-magazine, posters, sending dilemmas to the mobile device of the employees via an awareness app, confronting employees with security situations via short videos on internal video news-screens, implementing gaming around security, etc. This can be done in a global operating company.
Be sure to support all of these actions with a program for managers (what is the role model, how is security integrated in the communication with employees?): this can be done in short workshops as a start, and followed up by addressing examples of good communication via videos used in the awareness app, for example.