Getting Buy-In for Your Security Awareness Program

Introduction

When thinking of security awareness programs, some people already go on the defensive, saying that it is pointless. If they don’t say it, they still act like it. The real question is: with this kind attitude becoming endemic, how will you give value to your Security Awareness Program? What will turn it into the gold of security training on any level? Why would anyone inside your corporation or — if you want to extend your area of influence — outside of it choose to buy in?

The answer must be presented from all perspectives. There is no short answer, because factors of influence determine the value of your program.

There is also the issue of employee mindset: Some people may feel like you are putting pressure on them just to give you another reason to keep them at the same salary level. They may also resist you sending them off to longer training, due to feeling less valuable than their more successful colleagues.

Get Mentalities Straight

Before even attempting to get buy-in, you need to explain not just the whys, but also the dos and the don’ts.

The first issue is that any such program will try to redefine attitudes, mentalities and actions. In recent years, there is a higher risk than ever before of being scammed, having money stolen, having one’s identity stolen and everything else one can think of. Ransomware attacks have been down a bit in the previous months, and other identified threats have also been in decline, but the numbers are still far too high.

And there are newer, even more explosive attacks out there, putting pressure on large corporations each day. No matter how well-trained the corporations have become, the attackers have gained extra knowledge as well. While consumer ransomware attacks may have declined (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Mahwish Khan. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/qwqBumcCg44/