Two weeks ago, I attended RSA 2013 Conference in San Francisco and was impressed by the number of participating security vendors. The addition of the Human Element and Breaking Research in the technical track sessions also provided a refreshing stroke to this year’s presentations.
Below are some of my experiences and insights on some noteworthy discussions involving security awareness, hacking back, and going offensive legally.
The 7 Highly Effective Habits of a Security Awareness Program
Samantha Manke and Ira Winkler of Secure Mentem discussed their views on the difference between security training and security awareness. They highlighted the importance of a security culture in companies in enabling employees to apply best computing practices on a daily basis, resulting to long-term security awareness within the organization.
They presented the results of their recent study conducted among Fortune 500 companies in the Health, Manufacturing, Food, Financial and Retail sectors. This study focuses on security awareness campaigns that companies implemented and how effective these were. They came up with key findings that lead them to create their 7 Highly Effective Habits of a Security Awareness Program, which are:
- Create a Strong Foundation
- (Have) Organizational Buy-in
- (Encourage) Participative Learning
- (Have) More Creative Endeavors
- Gather Metrics
- Partner with Key Departments
- Be the Department of HOW
My key takeaway for this session is of course the last part. We, the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems.
While I understand the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.