Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 24

Sometimes the Check-the-Box mentality extends not just to the awareness program but also to the security program in general. One of my friends was hired as a CISO of a credit union. One of his first acts was to have me submit a proposal for a security assessment. The proposal met his budgetary needs and he submitted it for approval. He called me up a few weeks later to tell me that they would not be proceeding with the assessment, because his management team thought they had only $10 billion in assets and believed that criminals would never go after such a small financial organization. He went on to say that he found out that the only reason he was hired was that the auditors told the board they could not pass an audit without a CISO in charge of information security. It was no surprise when he left the organization three months later.

Clearly, an entire security program based on the principle of Check the Box presents a major threat to an organization, and, more importantly, to its customers. I use this example to highlight the point that, although an entire program being a Check-the-Box effort is a clear danger, treating any element of the program as a Check-the-Box effort represents a major risk to the entire program.

Though standards evolve, at the time of this writing, the major industry standards regarding security awareness are vague. For the most part, all they require is that an organization has an awareness program in place. The standards imply that organizations should hold annual awareness training, but they don’t specify what these trainings should entail or how to create them. As long as an organization can provide some form of confirmation to potential auditors that employees received some form of annual training, “the box is checked.” Even though auditors sometimes require phishing simulations, the standards provide no instruction for creating the simulations or performing them effectively.

In Chapter 8, I show how you can justify your efforts, even to a tough Check-the-Box crowd, by using metrics to demonstrate the value of your efforts to your organization.