Infosec Units Focus on Tech Training, Not User AwarenessIs that Approach Shortsighted?
One of the more curious results from our survey of government IT security practitioners (see Gov't Infosec Pros Question Fed's Security Resolve) is their assessment on how well their agencies execute security training and awareness initiatives.
We asked them to grade the effectiveness of their agencies' security training and awareness activities for IT and IT security staff, non-IT agencies workers and managers and executives. Here's is how many rated their agencies' performance as excellent or good:
- IT and IT security staff: 35 percent
Non-IT agencies workers: 25 percent
Executives/managers: 24 percent
These results suggest that many IT and IT security agencies see their main education and training responsibility focused on their own organizations and not the enterprise. It's understandable. Resources are finite, and rapid changes in technology and threats mean IT and infosec organizations invest their limited resources on what they perceive will get the biggest bang for their buck: upgrading the skills of the technologist responsible for securing data.
Yet, is that shortsighted?
IT security, like IT itself, is a core component of the enterprise. Organizations can't accomplish their missions unless they can do so securely on their networks and computers. And, that means providing the necessary awareness training to all those in the enterprise, especially non-IT executives and managers.
Here's how Deputy Defense Chief Information Officer Rob Carey approached it when he served as Navy CIO, a post he left last summer (see Navy CIO to Leave by End of Summer):
"We are working very hard to educate our senior executives and flag officers on IT at large. They don't have to be IT experts by any stretch, but as I have said several times and I think others have said, you know every person who engages in network to do their job becomes a cyberspace warrior because you present an opportunity for both being a defender and being a vulnerability at the same time.
"As we educate the workforce are at large and we raise the training of the network administration and things like and then we raise and education awareness of the executives of what they need to be mindful for in their part of the department, it affords us this opportunity to sort of go forward with knowledge and comply with things with some understanding about what is expected of you."
Oregon Chief Information Security Officer Theresa Masse is actively working with agency directors in state government to get them actively involved in assessing the risk their IT systems face (see Educating Agency Heads About IT Risk). Masse explains why it's important to engage top non-IT leaders:
"Agency directors tend to think of information security only from a technology perspective, so we want to help them become more engaged in understanding that protecting their info assets is an executive leadership responsibility. and, it's not appropriate for the IT management to determine risk for that agency.
"It's important for us to insure that executive agency leadership has information security and the protection of information assets on their radar screen and that they have it in perspective with all of the other types of risks that they deal with on a day-to-day basis, and determine what's acceptable from the information security perspective."
Technical skills are important, but those alone won't secure networks, and educating users - from the clerk to the CEO - is a crucial responsibility of IT security organizations. Besides, doesn't it make fiscal sense to make the boss more aware of IT security challenges? It could pay off in more ways than one.