Security Awareness Requires Carrots, Sticks -- and Lots of Communication
COLORADO SPRINGS, COLO. -- At Cisco Systems, John Stewart, vice president and CSO, estimates that he delivers 95 percent of his security awareness training online, and about 5 percent in person at the networking giant. At biotechnology company Genzyme Corp., Bhavesh Patel, director of information security, says he does the inverse: about 95 percent live presentations about security to employees and 5 percent online.
But while the delivery channels might differ, the security executives talking at CSO Perspectives agreed that effective security awareness programs require top-management buy-in, policies that require accountability for bad acts and rewards for employees who perform well. And good awareness programs also require a great deal of communication about the stakes involved in protecting corporate assets.
At Cisco, Stewart says, the security awareness program works to convey those stakes in bottom-line terms. "We tell them, here's what your protecting. A company with a $150 billion market cap, our customers" and data about them.
The company's online security training includes workers clicking on buttons that indicate they have read security policies and agree to abide by them. If someone violates a policy, Stewart can check if they have agreed to abide by them. Such conversations can become awareness tools, Stewart says, by educating an employee about the reason for policies and the risk involved in violating them.
Both Stewart and Patel say they offer rewards to employees who perform well by alerting security to a problem, for example. Patel says his security team makes a point of praising an employee's performance to his manager. Stewart says he organizes awards presentations -- one in front of the award-winning employee's department, and a second one in front of Stewart's security department. Financial rewards are also part of his arsenal at Cisco. "People don't mind being patted on the back," he says, adding wryly, "I'm not beneath bribing" good performance.
Both Cisco and Genzyme are companies that grow by acquiring other companies, and both Stewart and Patel say they work to gain access to new employees from mergers to begin awareness training as soon as possible. Patel says that Genzyme's security group is part of the acquisition team.
"When a merger and acquisition is announced, we do a presentation on day one," Patel says. "We tell [new employees] what they have available to them" in terms of security.
Stewart says that Cisco has learned over time -- and many acquisitions -- that one size does not fit all new acquired companies. Some require Cisco's direct involvement and others have well-established security programs in place.
Stewart says he also publishes an in-house web page at Cisco that includes security updates and information about security awareness tips. He says he is in the process of making some of those articles public on Cisco.com to share those tips with the public.
-- Michael Goldberg
Print
But while the delivery channels might differ, the security executives talking at CSO Perspectives agreed that effective security awareness programs require top-management buy-in, policies that require accountability for bad acts and rewards for employees who perform well. And good awareness programs also require a great deal of communication about the stakes involved in protecting corporate assets.
At Cisco, Stewart says, the security awareness program works to convey those stakes in bottom-line terms. "We tell them, here's what your protecting. A company with a $150 billion market cap, our customers" and data about them.
The company's online security training includes workers clicking on buttons that indicate they have read security policies and agree to abide by them. If someone violates a policy, Stewart can check if they have agreed to abide by them. Such conversations can become awareness tools, Stewart says, by educating an employee about the reason for policies and the risk involved in violating them.
Both Stewart and Patel say they offer rewards to employees who perform well by alerting security to a problem, for example. Patel says his security team makes a point of praising an employee's performance to his manager. Stewart says he organizes awards presentations -- one in front of the award-winning employee's department, and a second one in front of Stewart's security department. Financial rewards are also part of his arsenal at Cisco. "People don't mind being patted on the back," he says, adding wryly, "I'm not beneath bribing" good performance.
Both Cisco and Genzyme are companies that grow by acquiring other companies, and both Stewart and Patel say they work to gain access to new employees from mergers to begin awareness training as soon as possible. Patel says that Genzyme's security group is part of the acquisition team.
"When a merger and acquisition is announced, we do a presentation on day one," Patel says. "We tell [new employees] what they have available to them" in terms of security.
Stewart says that Cisco has learned over time -- and many acquisitions -- that one size does not fit all new acquired companies. Some require Cisco's direct involvement and others have well-established security programs in place.
Stewart says he also publishes an in-house web page at Cisco that includes security updates and information about security awareness tips. He says he is in the process of making some of those articles public on Cisco.com to share those tips with the public.
-- Michael Goldberg
Previous Post: CSO Perspectives: American Water's Larson Lays Down Some MetricsNext Post: CSO Perspectives: Burill calls security convergence "inevitable"
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
