The security of our information systems is now a number one priority. We can no longer think of a society without all the luxury of technology. These technologies are powered by information systems that need to be secured. Whether you are trying to secure a multibillion-dollar company, a government institution, or a small one-person business, everyone should start taking security seriously.
According to the NIST publication SP 800-50 there are three steps that lead to an effective security program. This program targets everyone in the organization at different levels and functions.
For Everyone.
Everyone should have basic information security understanding and know what they should do in case of a security event through an awareness program. Awareness is about helping people know what to do and not necessarily understanding how security works.
“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security.” The Awareness program is intended to allow individuals to recognize IT security concerns and respond accordingly.
The awareness program should be based on key aspects of the organization’s information security policy. The information should be adapted to suit the need of everyone within the organization right from the top of the organization to the lowest level. Therefore, everyone within the organization should be provided with a security awareness program.
All IT System Users
All users using the information systems should be provided with basic information security training. This is in addition to the security awareness program for everyone. The security awareness program tells people not to click on a link in an email from an unknown sender but to delete it. But how does the user go about deleting this email securely? Therefore, these users should be trained to carry out the recommendations in the security awareness program.
Any user exposed to the organization’s IT systems should be provided with basic information security and literacy training. The main difference between an awareness program and training is more formal, having a goal of building knowledge and skills to facilitate job performance. Training strives to produce relevant and needed security skills and competencies.”
Here, the organization needs to come out with the training need analyses and build a training program that ranges from a beginner to an advanced level.
IT and Security Professionals
Any misstep by any IT professional could easily lead to a security breach. It does not matter whether they are System Developers, Network Engineers, or Operating Systems Administrators. They are all standing side by side with the information and cybersecurity professionals on the battlefield of cyberwarfare.
Education teaches people to make educated decisions. All IT professionals exposed to the information systems on a technical level should be well-educated to help them perform their jobs effectively and efficiently.
Therefore, a continued security education program that will provide them regular security training tailored to their job role should be available to them. A well-tailored information security education should be available at multiple levels. The beginners, the intermediate, and at the advanced level. Organizations should strive to produce IT security specialists and professionals capable of vision and pro-active response.
