(ISC)² Links

(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    CATEGORIES

    Archives

    More...

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    « Recovering a dead hard drive in the freezer | Main | Job Analysis Survey Privacy Statement »

    08 March 2011

    Milking the value from security incidents close to home

    "[T]he survey showed ... a surprising lack of awareness of security issues among the respondents.  For instance, just 4% admitted to being fully informed about security breaches within their organizations.  About 80% of those who said their organizations had suffered a data breach in the past year were unable to tell which IT components might have been impacted by the breach.  There appeared to be even less knowledge or acknowledgement of the costs associated with a data breach.  Nine out of 10 of those who said their organizations had been breached said they had no idea of the resulting costs to their companies."

    So says a survey of the Oracle Application Users Group (OAUG) conducted by Unisphere Research.

    I find it surprising that security awareness programs evidently pay so little attention to security incidents happening with the organization.  Such incidents present ideal opportunities to discuss actual real-world security situations and business impacts that are of direct relevance to employees.  They help get around the feeling that "incidents only ever happen to other people" and "that'll never happen here".

    On top of that, such incidents are quite easy to investigate and write up.  Sure, some departments, managers or staff might be a little sensitive, perhaps reluctant to 'see their dirty laundry washed in public' but it's for the general good, and if reported sensitively can highlight the positive learning and improvement aspects.  Keeping them hidden is, to me at least, an unpalatable and unhelpful way of dealing with them.  I would even go so far as to say that failing to take these improvement opportunities is a governance failure.

    By the way, security incidents suffered by competitors and others in the same industry or area are also good fodder for awareness programs, supplementing the usual headlines and news stories from the security press.  In many ways it is better to learn from the misfortune of others but incidents close to home tend to resonate with the audience and are more motivational.

    Regards,
    Gary Hinson
    IsecT CEO and security awareness fanatic

    Posted by on 08 March 2011 at 02:29 AM in Hinson, Training |

    Comments

    The comments to this entry are closed.

    Enter your email address:

    Delivered by FeedBurner

    Recent Contributors

    Past Contributors