Building a resilient workforce

A resilient workforce is well-prepared to cope with whatever stuff is thrown at it, all manner of challenges and incidents ... like this for instance:

Security-aware workers are an extremely important defensive control: we really ought to recognize this email for what it is - an obvious social engineering attack, a crude attempt to dupe us into opening the attachment ... but awareness is not the only control, a good thing too since we are only human. 

A truly resilient organization has a comprehensive suite of information security controls that come into effect both before, during and after the email gets delivered, even if a hapless worker receives and falls for the con, opening that attachment.

In information security, resilience is largely achieved through layered, overlapping and complementary controls. Individually none of them can totally eliminate the risks, but collectively the risks are reduced to the point that we can handle the remaining issues - at least that's the theory! Incident management is part of it, along with risk and business continuity management including resilience engineering, disaster recovery and contingency, for those unanticipated situations that we weren't expecting. 

Awareness and training support all those aspects as well. Our awareness materials directly address management and professionals, as well as the general workforce, because they have distinct roles in making the organization resilient. Managers set key objectives, define priorities and control corporate assets, particularly funding. Professionals advise, guide and assist management in those activities, and are further responsible for implementing management edicts. A security awareness and training program that ignores either or both of those audiences is like a car with neither steering nor engine: fine as long as everything is heading downhill in the right direction.