Implementing an Information Security Awareness Program

The article addresses the elements that make up a successful information security awareness program. It addresses the role that organization personnel play in the information security program and how to use this information to one’s benefit. It also discusses how to establish awareness program scope, how to segment the audience, and how to ensure that the content is effective in getting the message to the user community. INTRODUCTION The development of information security policies, standards, procedures, and guidelines is only the beginning of an effective information security program. A strong security architecture will be rendered less effective if there is no process in place to make certain that the employees are made aware of their rights and responsibilities with regard to organization information assets. All too often, security professionals implement the “perfect” security program, and then are surprised that it fails because they forgot to sell their product to their constituents. To be successful, the information security professional must find a way to sell this product to the customers. For years I have heard information security professionals discuss their jobs in terms of overhead, as if this is some evil thing. Nearly every employee within an enterprise is overhead. Even the CEO, CFO, CTO, and CIO are all overhead. However, they have learned what we need to learn, and that is that we all add value to the bottom line of A S E C U R I T Y M A N A G E M E N T P R A C T I C E S