Last month, I posted a diary titled "The Many Paths to Security Awareness", which discussed various job positions, what motivates people in those jobs, and what messages you might use to take advantage of those motivators. The end goal is that, when faced with a security-related decision, you see a move in the positive direction. As a security professional, you want people in your organization or your customers' organizations to "make the right choice" when they're put on the spot.
When I started this, I had thought that protection of Intellectual Property (IP) would be of primary concern to Engineers and others that actually create said IP. However, what I found was that, more and more the value of IP is being given a real dollar value, and any compromise of IP is being worked into corporate risk assessments. So protection of IP is now on the radar of lots of CEO's, and protection of IP can be used to influence security decisions at that level.
Folks in a Helpdesk role are motivated by uptime of Corporate Systems, compliance with Corporate Policies and personal financial incentives, but more overtime does NOT count as a financial incentive ! Also, personal workstation downtime almost didn't register as a motivator (this one kind of surprised me).
Something that we all live with is that IT groups are still taking the lead in developing, monitoring and enforcing security policies. However, what is FINALLY happening is that HR is now starting to take the lead in some of this. In many organizations, things like reports from the content filter that monitors and enforces web usage policies are now the responsibility of HR, with IT there to provide the service and act as an expert consultant. This is a good thing to see, because HR is actually placed to do real enforcement of policies like AUP's (Acceptable Use Policy) and Web Surfing Policies, where in many companies IT could only watch and shake their heads.
What didn't work across the board was any security task that people couldn't immediately see value in on their own (without a lesson from security school). So, for instance, if you want to implement password complexity where it hasn't existed before, it's probably worth a bit of an awareness message ahead of time or no-one is going to be buying into it.
Anything you'd like to add to the list is welcome, by all means use the comment form to add to this story !
=============== Rob VandenBrink, Metafore ===============
May 7th 2010
9 years ago