Joining the dots

Security awareness and training materials are inevitably aligned in the general sense that they all concern or relate in some way to information security. The materials have a lot in common, building upon the same foundational principles and concepts. 

With our service, consistency is virtually guaranteed since the materials are all conceived, researched and prepared by the same close-knit team. While we enjoy exploring novel approaches, and our own perspective is constantly evolving, we can't help but continue along the same tracks.

Most of the time, relationships between topics are incidental. Every so often, though, we like to point out and use the linkages deliberately as part of the awareness approach. We're delivering a coherent campaign, a planned rolling/continuous program rather than a sequence of discrete, independent and unconnected episodes. 

Grab the crayons and join the dots to reveal the whole glorious technicolor picture.

It occurred to me this morning that by the time June's awareness module is released, GDPR will be live, meaning that most if not all of our customers will be legally obliged to report or disclose privacy breaches within 72 hours.

That's just 3 days in old money [gulp]. Barely enough time for a corporate crisis [cue: panic].

I'm not entirely sure at this point precisely when the breach reporting clock starts counting down the 4,320 minutes, nor when it stops, so I ought to dig out and read the regulation, again, from this month's awareness module. Leaving that issue aside for a moment, those quarter-of-a-million seconds will doubtless fly right by in a flash, hence organizations would be wise to prepare for that eventuality ... which thought feeds directly into June's awareness topic around incidents and disasters. Breach disclosure is a neat example of the value in considering and preparing for incidents, getting ready to respond, ideally practicing and refining the response arrangements in order to beat the regulatory deadline in the most cost-effective and professional manner.

So, that's the topic of June's case study decided, plus a relevant example to bring up in the awareness seminars and briefings, and something for customers to check out using the Internal Controls Questionnaire from the module.

The cool part about these links between topics and modules is that they work both ways. We refer forward to future topics with little tasters of things to come without needing to delve right into them. We refer back to prior topics as reminders of what we covered previously. Glancing at our schedule for the rest of this year, I see we will be exploring security frameworks and methods in July, then insider and outsider threats pop up in August and September: we must remember to mention those topics where applicable in the incidents and disasters material for June.