I cannot overstate the value and importance of this practice. Education is the first step toward awareness and, as you will see in the chart from Gartner below, you still have a long way to go after you have become Aware!
The challenge most organizations face here is two-fold: How to best educate their teams, who might be geographically disbursed and of different skill set; and, which team(s) to invest in for security training.
Management Buy-In - Security awareness will likely lead to behavior and policy changes at your organization. For that to happen effectively and efficiently, management must be on board. Even better make them part of the change by ensuring that your program has elements that appeal to management.
Ensure Policies Can Be Enforced - Write clear, understandable, current, and measurable policies. Naturally, the policies need to reflect the corporate, threat and regulatory environment. Awareness and training programs should address the importance of adhering to policies, as well as the potential financial and reputation impact to the organization from security events.
Measure and Report - Use both qualitative and quantitative metrics to obtain feedback, measure and benchmark the effectiveness of your security awareness and training program. Most importantly, communicate these metrics and results (good or bad) to your management team for their input, support, and insight.
If at all possible dont limit education to only security awareness, but also provide technical security training for your engineers, auditors and others. This training is more difficult to find, but you can locate some excellent security specialists that provide training in scalable formats, e.g., eLearning, for both management and technical staff.
An Analysts View of Security Investment
Below, I provide a chart created by Gartner Group. It describes what they call the "Information Security Maturity Model," or ISMM. The chart shows the progress organizations make as they mature in their information security awareness.
It tracks the percentage of organizations IT budgets allocated to security and shows how it balloons and then contracts as companies move through awareness toward operational excellence.
I find it interesting that 80% of organizations are still in either the blissful ignorance, awareness, or corrective phase. I suspect that number is substantially higher if this were tracked for only application security. The message I take from this is: GET AWARE. And the best way to start? Well, if youve made it this far in the article, you are well on your way!
Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.