More on Education for Enterprise Security

This post sponsored by the Enterprise CIO Forum and HP.

In my last post, Education – the key for Enterprise Security, I wrote about the need to educate the organization on the need to think about IT Security.

In that post, I included a photo of a door. A door that had no walls around it.

That door with no walls is a nice visual of many organizations today. We spend a lot of time and money focused on the doorways that we ignore the walls.

We put a lot of money into the technology to control access, but neglect to put money into education to make sure the walls around the doorways aren’t torn down.

And… that’s exactly what is happening in most organizations today. Groups are tearing walls down. They are doing this with Shadow IT and BYOD. They are destroying walls for a great purpose…the betterment of the organization…but they are introducing security risks without understanding the dangers.

As  I pointed to in my last post, Christian Verstraete wrote on this  post titled Keeping Cloud in mind when you look at your security where he wrote:

Pro-actively define your security strategy. Decide what an acceptable risk level is. Choose and implement tools and procedures accordingly and train, train, train your employees. Believe me, this may cost you money, but it will be a factor less than if your security is breached. Just think about the damage to your brand if you are compromised.

Emphasis mine.

We (in IT) do a good job of defining security strategy, risk and plans for dealing with security issues.. We are good that that. We have defined these things so well that we’ve defined ourselves into the position of always saying ‘no’…which is one of the main drivers for Shadow IT.

Even better than defining risks and planning to deal with risk, we are good at reacting once a risk has been identified. Most IT organizations are very very happy to tell you how quickly they’ll react to a danger that they find.  While something to be proud of, I’d rather we brag about how few times we’ve had to react. Or better yet…how pro-active we are in educating our organization on the issues of security.

How do we do this?  As I wrote in my “boogeyman” post, we need to:

…find ways to highlight the dangers of the boogeyman without actually making people think about the boogeyman.  We need to talk about the dangers of Shadow IT while educating our clients to the real dangers that exist using language they can understand.

How do we educate our users to the dangers that lurk in the shadows without boring them? How do we communicate our needs for security while being open to change and new platforms?

That’s the million dollar question…and I don’t know the answer. But I do have a few ideas on how to get the process started:

  • Communicate – the first step is to communicate with the organization. I don’t mean just ‘talking’ to them…I mean sitting down talking with them about the issues at hand. Talking with them about the importance of security and how you and your team can help with their current projects.
  • Consult – Rather than be relegated to being an operations arm, IT should get out into the organization and become a Technology Consulting organization. Using this approach, you can be proactive and help the rest of the organization select / implement technology rather than waiting for them to bring you a new ‘project’.  This will let you get in front of any potential security concerns..maybe :)
  • Embed - One of the most interesting ways to educate (and help) the organization is to embed members of your IT staff into other groups.  Whether this is a long term assignment or a short-term one, it helps get the IT group involved in other areas and helps to make people more aware of the services of IT. In addition, it makes the IT group more ‘human’ by getting your team members away from their desks/cubes and closer to the rest of the organization.

Those are just some thoughts…it not only helps with the educational aspects, but helps with collaboration as well.

Whats your thoughts?

This post sponsored by the Enterprise CIO Forum and HP.

Comments

  1. VirtChangesEverything says:

    As you’ve mentioned across several enterprise security posts, the message needs to be clear. In reality, ent sec discussions are needlessly complex. Yes, as Christian Verstraete points out,

    training is important. Don’t forget simple visibility, say dashboard notices available in physical locations, during logins to key apps and within corporate communications. –Paul Calento

Speak Your Mind

*