Dr. Peter Lokhorst is Managing Director of InfoSecure BV, which is currently in seven countries and provides awareness training programs to international clients including Procter & Gamble, European Central Bank, Deutsche Telecom and Bayer.
In this interview he discusses the value of security awareness programs, the challenges involved in teaching employees, and provides advice to CISOs interested in introducing security awareness training into their organization.
Lokhorst will be speaking about innovative formats for awareness at ISACA's North America CACS conference in April.
Some argue that security awareness training is a waste of money, while others find it invaluable. Where do you stand?
If you approach the awareness training as a single and one-time activity for the employees, I fully agree that it is a waste. It has very limited value if you train employees on the issue of security just by confronting them with the best practices and dangers once.
What you want is a change in behavior of individuals and a cultural change in the company as a whole. To achieve this goal, you must repeatedly confront employees with possible threats and show them best practices. Also, the role of the managers is crucial. It is important to train trainers in their role and be sure that they practice good behavior on a day-to-day basis. Safety is not about knowledge in most cases, but it is all about “awareness” in the true sense of the word. You only reach a higher level of awareness if safety is an issue that repeatedly is discussed and addressed.
BYOD and teleworking have changed the corporate landscape substantially. What specific challenges do companies face when doing security awareness for an increasing mobile workforce?
Awareness and the human aspect are becoming more and more important. As an organization, it is not enough to protect your internal network and data with a firewall and other technical measures. The behavior of your employees, when bringing their own devices, is much more important. Are they aware of what the internal regulations are related to copying data to their own devices or using them for business e-mail?
From the findings of the ISACA’s 2013 IT Risk/Reward Barometer, we learn that, for instance, in the US only 31% of the consumers see it as a real risk. In the UK, this is not even a quarter of all consumers. Consumers are also employees.