Back to basics: InfoSec 101
When someone initially joins an organization, they immediately start absorbing the corporate culture – ‘the way we do things here’ – gradually becoming a part of it. Most organizations run security orientation or induction sessions to welcome newcomers and kick-start the cultural integration process, with individual sessions lasting between a few minutes and a few hours depending on the topics to be covered, local practice, and of course the audience (e.g. there may be a quick-start process for managers, and more in-depth training for technical specialists).
Let's be honest: orientation tends to be as dull as a lecture on the dangers of teenage pregnancy. It's trial-by-fire, something to be endured rather than enjoyed.
The new Information Security 101 module covers common information risks (e.g. malware) and controls that are more-or-less universal (e.g. antivirus). The awareness materials are deliberately succinct and quite superficial: they outline key things without delving into the details.
Given the context of a continuous security awareness program delivering a stream of fresh materials, there's no need to cover everything about information risk and security in one hit. The pressure's off. Relax! All we really need in the induction session do is help newcomers set off on the right foot, engaging them as integral and valuable parts of the organization’s Information Security Management System.
That leaves room to focus on an even more important objective, one that we will expand upon in next month’s module. Building relationships between Information Security professionals and business people in general, makes a huge difference to the corporate security culture. Think about it: would you rather pick up the phone to the friendly professional who took time to meet you when you joined the organization, or a total stranger?
First impressions count, so the module is designed to help Information Security deliver engaging and interesting induction sessions accompanied by impressive supporting materials.
As well as orientation, Information Security 101 also facilitates the initial launch or relaunch of an awareness program (perhaps in support of an ISO/IEC 27001 Information Security Management System, for PCI-DSS, or for other compliance reasons). It introduces the new program, quickly bringing everybody up to the same foundation level of awareness and understanding. We're literally getting them on the same page in the sense of introducing and explaining the corporate information security policy.