On being 'secure enough'

Security Week invites readers to complete a checklist/questionnaire to figure out whether their security awareness programs are "good enough".  I was pleased to rate myself in the top-scoring category:
"If you scored 55 or more “yes” answers, you already know this stuff and have yourself under control. You could probably be teaching other organizations how to design and implement security awareness programs. You have a well-defined and executed program that pretty consistently exceeds standards of due care. Maintain your program and stay vigilant on quality updates."
Well yes, in a sense I am 'teaching other organizations how to design and implement security awareness programs' through our awareness service so the high score is to be expected. In fact, we deliver rather more than the checklist requires*, but it got me thinking about whether it is realistic to expect our customers, or indeed less fortunate organizations :-) to adopt all the awareness practices and topics mentioned in the checklist, or in books such as Rebecca Herold's Managing an Information Security and Privacy Awareness and Training Program.

The reality is that the range and scope of awareness programs varies enormously, depending on factors such as:
  • The level of management support for information security and/or awareness;

  • The energy, enthusiasm and drive of the person or team driving the awareness program, plus their own preferences, expertise and experience;

  • The maturity of the awareness program, and its perceived value and effectiveness to date;

  • The breadth of information security issues facing the organization.
A few organizations are either not doing any security awareness, or are stuck in the groove of annual 'awareness training sessions' or begrudging, minimal compliance with their legal and regulatory requirements which is frankly not much better.  As the checklist author put it "To put it bluntly, you are probably an accident waiting to happen."

I struggle to understand how management expects the organization to be secure if it fails to inform and motivate its employees on security matters.  It's a curious form of myopia/blindness.  Perhaps these same managers put all their faith in antivirus and firewalls ... right up to the point that they are hit by one massive security incident (a la RSA) or a string of (slightly) smaller ones (Sony-style).  Meanwhile, they are slowly being bled dry by the background noise of information security incidents which nobody notices or cares about.  What a waste!


* We cover a wider choice of information security topics, with a broader range of awareness materials, and last but not least we create awareness materials for IT professionals as well as for general employees and managers.  What do you do?

PS  Aside from the differences between organizations, different parts of an organization may be at different stages of maturity with respect to information security and/or security awareness. And it's a dynamic, fluid situation - for example levels will be higher soon after a major incident or event than before.