I find this approach to building awareness around security refreshing, because I’m betting the answers to these questions may not be what you’d expect:
“Go ahead — survey a few co-workers with this question,” says Gamblin, a principal security engineer with Kenna Security, as he plants his tongue firmly in his cheek. “Were you satisfied with the answers? Did they understand clearly what data your organization collects and why it’s important to protect it?”
Ay, and there’s the rub. The lament of so many CISOs and security managers around the globe is this: While the organization may claim to care about security, do those within it understand why? Do they know what is truly at stake should a breach or security incident occur?
I would take it even one step further, and ask whether they even care, but that might just be me being cynical. 😉
The thing is, most people in your business are there to simply do their jobs, get paid, maybe built up some nice resume-fodder, network, and move up. Understanding what data your business collects, why it collects it, what value it has, and what damage would be caused by not keeping it secure is, in many cases, just not part of the day-to-day reality of coming to work. So, they don’t think about it. Oh yeah, they get the memos, and they know there’s some nebulous “bad” thing that might happen if they were to be the one who gets phished, but in reality, they don’t care that much beyond just how it impacts them personally.
The more we can help people understand how it does impact them, and their job, personally, the more likely they will start to care enough to pay attention. Until then, well we see what it looks like out there now.
It’s only going to get worse if the people who have your data don’t know why they should care about keeping it safe.