People play a vital role in your Defense In Depth strategy. Technology, by itself, cannot provide information assurance. Likewise, great operational procedures cannot assure confidentiality, integrity and availability.
Time and effort must be invested in people.
I used to think that good technology and procedures could overcome almost any problem. That was before a co-worker was arrested for stealing many thousands-of-dollars worth of new computers. He was able to circumvent operational procedures. The technology in place to watch the receiving dock did not catch him. People really can be the weakest link!
Here are a couple of items you need to consider as you work to strengthen the People portion of the information security program.
- Top-level management support – While this may sound pretty basic, it is key to the whole InfoSec program. Everyone says this, but it really is true. It is critical that the CIO or CEO support the efforts to protect the information assets of the organization. It may require some creative work to ensure this happens, but is certainly worth the effort.
- Awareness of employees – The folks that do the work of the organization need to understand their role. Most people want to do the right thing, but sometimes do not know how. Creativity is the key here. Will people remember a two-hour briefing on their role in information security? Probably not! So, how about spending some time coming up with unusual ways to show them.
The role of people in your information security strategy cannot be over-emphasized. They need to be aware of their role and the importance of their careful actions. The top-level of management needs to buy in to the efforts.
Take a look at your organization. Make sure that the CIO or CEO or owner know and support the program. Help people to understand their role.
Have fun!
- Dan
