Suppose you decide, or are required, to raise awareness among your employees of the security aspects of networking. What do you want to cover? What are the main things you want to get across?  Think about that for a moment. Something that naturally springs to mind is IT network security, Internet security in particular. I guess you were mostly thinking about hackers, malware, firewalls, VPNs, that sort of thing, and fair enough those are certainly significant issues ... but wait, just as there’s more to information security than IT or cyber-security , there's more to network security than IT networks!  April’s awareness module takes on a wider brief, including classical IT network security (TCP/IP, the Internet, portable/mobile IT devices, VOIP, VPNs and all that jazz), current IT network security challenges (particularly cloud and IoT, plus home-office/private networking), and information security aspects of other forms of networking (social networks, business networks, coll...

This morning, my beady eye has been caught by an excellent Harvard Business Review article from 2007 about creative approaches to new employee orientation/induction . In particular, I was struck by this: "New employees go through an exhausting three-month immersion process, a sort of organizational boot camp, in which top management, including the CEO, oversees their every step. In the first month, new recruits participate in fast-paced creative projects, in teams of about 20, under the mentorship of more-experienced colleagues called section leaders. In the second month, the project teams are shuffled and split into smaller “breakthrough teams” charged with inventing product or service ideas, creating business models, building prototypes, and developing marketing plans—all in hyperaccelerated fashion. In the third month, the recruits have to demonstrate their capacity for personal initiative. Some continue working on their breakthrough teams; others find sponsors elsewhere in th...

I've just been perusing another vendor-sponsored survey report - specifically the 2016 Cybersecurity Confidence Report from Barkly , a security software company. As is typical of marketing collateral, the 12 page report is strong on graphics but short on hard data. In particular, there is no equivalent of the 'materials and methods' section of a scientific paper, hence we don't know how the survey was conducted. They claim to have surveyed 350 IT pro's, for instance, but don't say how they were selected. Were they customers and sales prospects, I wonder? Visitors to the Barkly stand at a trade show perhaps? Random respondents keen to pick up a freebie of some sort for answering a few inane questions? An online poll maybe? The survey questions are equally vague. Under the heading "What did we ask them", the report lists: Biggest concerns [presumably in relation to cybersecurity, whatever that means]; Confidence in current solutions, metrics, and employ...

On the ISO27k Forum today , someone asked us (in not so many words) how to determine or prove that the organization's information security policies are effective. Good question! As a consultant working with lots organizations over many years, I've noticed that the quality of their information security policies is generally  indicative of the maturity and quality of their approach to information security as a whole. In metrics terms, it is a security indicator. At one extreme, an organization with rotten policies is very unlikely to be much good at other aspects of information security - but what exactly do I mean by 'rotten policies'?  I was thinking of policies that are badly-written, stuffed with acronyms, gobbledegook and often pompous or overbearing pseudo-legal language, with gaping holes  regarding current information risks and security controls, internal inconsistencies, out-of-date etc.   ... but there's even more to it than their inherent quality since pol...