information security awareness copyright © 2011 isect ltd. september 2011 management seminar...
TRANSCRIPT
Information Security Awareness
Copyright © 2011 IsecT Ltd.
September 2011
Management seminar
Building our security culture
Information Security AwarenessCopyright © 2011 IsecT Ltd.
2
Introduction
Sec
uri
ty c
ult
ure
What do we want?
How do we get it?
How do we know when we have it?
Information Security AwarenessCopyright © 2011 IsecT Ltd.
3
What do we want?
Sec
uri
ty c
ult
ure
What do we want?
Intolerance for insecurity
Secure by default
Proactive security
How do we get it?
How do we know when we have it?
Fewer/less costly security incidents
Free security!
Information Security AwarenessCopyright © 2011 IsecT Ltd.
4
But we already have a security culture
Do you really th
ink so?
Do you really th
ink so?
Information Security AwarenessCopyright © 2011 IsecT Ltd.
5
Would you spot a fake email like this?
Information Security AwarenessCopyright © 2011 IsecT Ltd.
6
Handles sensitive medical data
College
8
colleagues
to exploit
Too easy
!
25m more
targets!
Job title
Information Security AwarenessCopyright © 2011 IsecT Ltd.
7
OK, so how do we get it?
If you accept that a security culture is indeed a valuable goal, what would
you suggest we do to establish or improve ours?
Information Security AwarenessCopyright © 2011 IsecT Ltd.
8
How do we get a security culture?
Sec
uri
ty c
ult
ure
What do we want?
How do we get it?
How do we know when we have it?
Leadership, direction
Evident support
Persuasion, motivation
Awareness, training & education
Policies, procedures, guidelines
Reward & punishment
Information Security AwarenessCopyright © 2011 IsecT Ltd.
9
How do we know when we have it?
Sec
uri
ty c
ult
ure
What do we want?
People do the right thing, even when not being told or watched
How do we get it?
How do we know when we have it?
Behavioral metrics
Information Security AwarenessCopyright © 2011 IsecT Ltd.
10
Summary
Sec
uri
ty c
ult
ure
What do we want?
Intolerance for insecurity
Secure by default
Proactive security
People do the right thing, even when not being told or watched
How do we get it?
How do we know when we have it?
Behavioral metrics
Leadership, direction
Evident support
Persuasion, motivation
Awareness, training & education
Policies, procedures, guidelines
Reward & punishment
Fewer/less costly security incidents
Free security!
Information Security AwarenessCopyright © 2011 IsecT Ltd.
11
Management action plan
1. Check the security policies & procedures
2. Lead by example: demonstrate secure behaviors, place a value on security
3. Identify and reward secure behaviors
4. Encourage open discussion about security matters – talk it up a bit
5. Reap the benefits of a security culture
Information Security AwarenessCopyright © 2011 IsecT Ltd.
12
Further information
• Information Security Policy Manual and
other security awareness materials
• CIO or Information Security Manager
• Browse the intranet Security Zone
• Managing the Human Factor in
Information Security by David Lacey
and Spies Among Us by Ira Winkler
• Google for more!