If it is about IT security, business people have every confidence in the ability of IT departments that they do the right and important things. To be honest, sometimes I have the feeling, that they do not want to be involved in this security stuff.
‘Just let the nerds add some new high sophisticated technology – and all will end well.’ But, please without any impact on our daily work and to low additional costs.
This ‘not involved here’ syndrome is the main reason why information security programs fail. And, combined with blind trust in technology, things could end worse.
Some weeks ago I read a remarkable statement in post ‘Security Think Tank: Consider security Training before high-end technology’ by Mike Gillespie:
Encryption is not the solution to security, it is part of the solution and always has been. So an employee who does not realise that their device is encrypted basically when it is switched off, may still have very poor security habits, such as leaving a laptop logged on with the lid down, thinking the data is secure because it is magically encrypted.
If Mike Gillespie had one more Dollar to spent in IT, I bet, he would invest this Dollar into security awareness Training.
To ensure sustainability, it is very important to get people involved in these IT security topics. As Benjamin Franklin once said: ‘Tell me and I forget. Teach me and I may remember. Involve me and I learn’. Thus, to increase the likelihood of success, IT security programs should always be embedded in a change process.
But Management buy-in comes first! Why?
To stay in the market, with a well respected brand and competitive products, is definitely part of every company’s business strategy. IT is just an enabler for business strategy. IT supports the business groups in protecting the important digital assets and the intellectual property of a company.
Therefore, IT cannot be the driver for a security program. Business must take the initiative and start and manage the program to ensure sustainable change in IT security awareness and behaviour. If a C-level manager could be won as program sponsor, it is very likely that the program’s targets are met.
It’s all about leadership! And Change.