[ISN] Security Training: Whose Responsibility Is It?

From: InfoSec News (alerts@private)
Date: Tue Nov 06 2007 - 22:22:06 PST


By John Soat
CIOs Uncensored 
Nov 5, 2007

Who else other than the CIO? So why aren't CIOs doing more about it?

Mark Twain is reported to have famously remarked: "Everybody talks about 
the weather. But nobody does anything about it."

I was reminded of that quip when I read a news story posted by my 
colleague K.C. Jones about the increased awareness of security problems 
related to mobile computing devices and wireless networks, and the lack 
of effort to do anything about it. The story was related to the release 
of a survey sponsored by an industry organization called the Computer 
Technology Industry Association (CompTIA). The organization claimed to 
have interviewed 1,070 organizations about their security concerns.

    Sixty percent of organizations surveyed recently said that security 
    issues related to handheld devices have increased over the last 12 
    months... Still, only 32% of organizations have implemented any 
    security awareness training for mobile and remote workers, according 
    to CompTIA. Only 10% plan to implement security training in the next 
    12 months...

How could this be? Is it a question of resources, funding, executive 
support? Or is it a game of pass the buck? "That's an HR issue, not 
mine," huffs the hand-wringing, head-in-sand CIO.

Yet, the proof is there that security training can be effective, 
according to CompTIA. Nearly 90 percent of organizations that have 
implemented awareness training for remote and mobile workers believe 
that the number of security breaches theyve encountered has been 
reduced. said John Venator, president and CEO of CompTIA, in a 
statement. Organizations that do not train their mobile workers in 
security fundamentals are doing themselves a great disservice, he said.

Security training in general doesn't seem to be a particular priority 
among CIOs. In the most recent InformationWeek Information Security 
Survey 2007, only 19% of the 1,101 business technology executives 
contacted in U.S. cite "Educate business groups" as a key tactical 
security priority in the next 12 months. In answer to the question, "How 
often does your organization train employees on information security 
policies/procedures?" 47% of U.S. respondents answered "Ad hoc," and 5% 
said "Never." If my math is correct, that adds up to more than half of 
the U.S. survey respondents training their employees on computer 
security policies and procedures, uh, mostly when they feel like it.

What will it take to make computer security -- in particular, security 
related to mobile computing and wireless networks-- a priority? And for 
CIOs to take responsibility for it -- and do something about it?

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Tue Nov 06 2007 - 22:26:30 PST