However programs that focus on implementing off the shelf videos do little to address specific and proper behaviors for typical situations. The typical 3-minute awareness video on social engineering will not address specific governance for all job functions, and won’t include the detailed process for the release of tax information or funds transfer specific to that company. Proper governance should detail the process to request the action to be taken. It should detail who can make the requests, what is the approval process, and any verification processes that should be performed.
Unfortunately, governance is usually treated like a game you play with auditors. Companies try to write just enough policies, procedures, and guidelines so they are not listed as an exception on an audit report. Then the resulting documents go on a shelf until the next audit. Proper governance should be practical and implementable.
Awareness programs should look to governance as the driver for the program content. While some computer-based training might be considered, an awareness program should be much more. There must be many modes of communication. There must be outreach to the special populations with the information, pulled from governance, specific to them.
While a certain part of awareness involves motivating people to do the right things, awareness needs to specify what those right things are. This cannot be delegated to off the shelf videos. Of course there are industry best practices and certain behaviors that might be considered universal, but if you want to have an effective awareness program that goes beyond what should be obvious, you need to ensure that you review the appropriate policies, procedures, and guidelines and make sure that is what your awareness program is promoting as appropriate behaviors. If those documents do not already exist, your security program likely has significant issues to begin with.
Sign up for Computerworld eNewsletters.