What's particularly alarming is that the desire for security compliance doesn't sync with the effort businesses put toward training and education, both within the IT department and throughout the workforce. Monitoring user compliance ranked as the No. 1 security priority in a survey of 966 U.S. companies polled by InformationWeek Research and Accenture. Security policies typically define who has access to data, how it can be used, where customer data can and can't be stored, any potential legislation the company is subject to if the data is breached, and whether data must be encrypted.
Still, more than half of U.S. companies surveyed say security technology and policy training would have no impact on alleviating employee-based breaches, a sentiment shared by more than half of the companies surveyed in Europe and China as part of the InformationWeek 2006 Global Security Survey. In fact, most companies surveyed worldwide admit they don't train their employees on information security policies and procedures on a regular basis, preferring instead to deliver ad hoc training.
Can you imagine being a CSO or CIO on the witness stand today? Or maybe it's just a deposition. The legal counsel for the plaintiff asks a simple question like:
Does your company have a written policy for training new employees on security technologies and controls?
Yes.
Does this written policy specify how and when a new employee shall be trained on security procedures and controls?
Yes.
Can you please state the number of formal training sessions held last year on security technology and policy at your company?
No.
Can you estimate the number of new employees trained last year according to your companies written policy?
No.
And the pain and suffering continues as the CxO realizes that the chain of evidence does not show a clear and demonstrable strategy for training employees on security controls. It does not follow the written policy of the company. Game over.
Given the increase in the number of data breaches, businesses can't allow security polices to become hampered by ambivalence and red tape. Next time, it could be your job on the line.
operational risk
No comments:
Post a Comment