Datacom's Tech Knowledge Blog

Current Articles | RSS Feed RSS Feed

How to Make Everyone in Your Organisation an Information Security Officer

Posted by Datacom Blog Team on Mon, Jul 30, 2012 @ 06:36 PM
 

How to Make Everyone in Your Organisation an IT Security Officer resized 600

Your employees might not know what technological faux pas they have committed to cause a kerfuffle for the IT department. In fact, a recent report in SC Magazine’s Australian edition stated that while the overwhelming majority of organisations have an IT policy governing security, a quarter of employees are unaware of its existence. And 35 per cent of the employees who work in environments with said IT policy claim their IT department provided no rationale or explanation justifying the existence of these security rules.

The good news is most employees are willing to participate in a holistic approach to information security; IT just has to ensure staff know the why, what and how of these guidelines. With the proper education and a reasonable (and understandable) security policy, you can move your organisation beyond a because-I-said-so culture to a secure environment. To make this transformation a reality, consider these guidelines.

  • Act as a sales rep for IT security. In this instance, change begins at the top and trickles down. If your managers are wandering around the office connected to the network on personal smartphones — after all, they know what they’re doing, right? —, it’s time to get everyone on the same page. In order to push your security message, you have to demonstrate that the higher-ups can (willingly) abide by protocol. 

And as all sales reps will tell you, you have to speak your prospect’s language. As you communicate the importance of cyber security and which aspects fall on your employees, remember to not only break down technical points into something digestible but also emphasize the benefits of the policies. When employees understand the implications of their actions, they’re more likely to follow information security guidelines.

  • Security starts on Day One. Transforming your information security policies into something simple and sharing them with employees will make great strides in improving security. But what happens when new employees start? Can you trust security-debriefed employees to share the policies when their chief concern is training new employees for their real jobs?

Work with your HR department to include IT security training in your organisation’s new-hire orientation. You’ll help immediately set the tone for security responsibilities while ensuring all employees are on the same page. Setting up periodic mandatory cyber security meetings through HR will help employees stay abreast of changes. You could also consider sending out a newsletter or posting an intranet article on the latest IT security updates and possible threats of which to remain aware. 

  • Your IT security policy is a living document. Technology changes. Current information security protocols become unnecessary. New policies require training and updates. In the last few years, many organisations have struggled with the boom of employees using personal laptops and mobile devices for work, particularly for communicating with clients.

Some IT departments are struggling to stop employees from initiating Bring Your Own Device without addressing the key question: Why are employees using personal devices in the first place? What isn’t IT providing to give employees a technological edge? You must weigh security against productivity to find the perfect balance — and that balance will always be changing.

You don't have to stonewall employees clamouring for BYOD — you just need to make them aware of how to act when given this privilege. Requiring mobile infrastructure to remain in a trusted, compliant state and centrally issuing security patches and updates to mobile devices are some of the tips Datacom's Technical Security Services (TSS) unit gives clients looking to institute a BYOD programme

Once employees know their role in cyber security — and that following procedures won’t hamper their productivity —, everyone in the office can act as an information security officer.

Tags: , , , , ,

Comments

I think you have missed an important point here. IT do not define the IT policies. The governance group do this. They define what policies are to be introduced, as they are acting on behalf of the rest of the business. IT then implement and support the policies.  
 
This is a fundamental mistake that most organisations make, with IT fighting against the rest of the organisation, trying to introduce good practice while everyone else feels put upon. 
 
I think the IT Skeptic put it wonderfully in his white paper here: http://www.itskeptic.org/public/how_we_have_failed_it_like_a_bad_parent_v5.pdf 
Posted @ Monday, August 06, 2012 6:37 PM by James Gander
This is a very good point James. It seems like it's of utmost importance that there is a team or committee surrounding policy formation and implementation that involves IT, managers, directors and others - would you agree?
Posted @ Monday, August 06, 2012 8:55 PM by Datacom Blog Team
Yes. There should always be a governance group made up of key members of the senior leadership team of the organisation, who can help to define the IT strategy, ensure that it helps to meet the organisation's strategy and also provides governance and leadership to IT. 
 
Posted @ Monday, August 06, 2012 9:13 PM by James Gander
Your IT security environment is probably complex, with myriad components like mainframes, servers, desktops and mobile devices, plus business applications and security devices. They may not be all integrated, so silos of information could be obscuring your visibility and limiting your security intelligence.
Posted @ Monday, August 27, 2012 6:08 AM by Cyber Security
Really good points -- thanks for sharing.
Posted @ Monday, August 27, 2012 6:03 PM by Datacom Blog Team
Great read. Some definite critical points. In terms of longevity, definitely a wise idea to start with security measures at square or day one. The more it becomes standard practice, the brighter the outcome of your organisation will be.
Posted @ Wednesday, April 24, 2013 11:36 AM by Charles Trentham
Thanks for the comment Charles -- security is often something relegated to a one-time communication or piece of paper outlining security guidelines for the organisations when it really must be continually communicated to current and new employees.
Posted @ Thursday, April 25, 2013 6:39 PM by Datacom Blog Team
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Updating your Desktop?

Datacom is a complete IT outsourcing firm with offices located throughout Australia and New Zealand. As one of only a few designated Microsoft Large Account Resellers, Datacom helps businesses with 250+ employees design and manage their volume licenses, as well as fulfil the services related to licensing, such as desktop deployment, software asset management and desktop support.