Technology is important for information security, but if people ignore it, it doesn’t work very well. You can have the best technology in the world, but if people don’t understand its importance, it may be a waste of time and money. You also need to educate people on its use and value. A strong education program improves overall information security over time.
Think of how we educate our children. We teach them their native language starting in grammar school and continue through high school. This constant education improves their ability to read, write and understand their language. We can apply the same techniques to information security awareness.
Unfortunately, education is a slow process, but can be helped by example. If a school teacher is reviewing proper sentence structure, she or he should use proper sentence structure when they speak and write. If the teacher says “I want to show you how I does that.”, a child may start questioning what she’s being taught. The teacher is violating her own rules, so the child thinks it must not be important. The teacher is setting a bad example.
It’s the same in any organization. If a CEO says “Everyone should do this …”, but then violates that day and night, it sets the wrong example. Years ago I was in an organization where everyone was mandated to use a particular travel service, but the CEO and senior officers used something entirely different. That told me that the rules don’t matter.
Education and setting policy are important, but if practice doesn’t follow, you don’t get compliance. How many times have you heard that it’s the policy, but no one follows it. Then what’s the point of having the policy?
In the area of information security, every person in the organization needs to understand what information is confidential and what isn’t and act accordingly. The people at the top must set the right tone by practicing what they preach. Education can help, but a lot of money can be wasted on security awareness training when setting an example from the top can be much more effective.
We need to stop preaching “Do what I say, not what I do.” and start preaching “Do what I do.” If the CEO and other people at the top of an organization are walking the walk, rather than just talking the talk, it goes a long way. If a policy says “encrypt documents you send to customers”, and I see the CEO doing it, I’ll do it too. I’ll believe it’s important.
By setting expectations at the top of an organization, you will make it easier to get action. The best leaders lead by example. If you want your organization to adopt information security policies and procedures, make sure those at the top are setting the example. I am more likely to adopt something if I see everyone else doing it.
Are you setting the right tone at the top in your organization?