TM - December 2007 - (Page 47)

the overall goals of the organization. Current security practices should be used as a benchmark to determine if training is helping to achieve the objectives and goals that have been set. It also makes it possible to set clear, measurable objectives in the beginning. Sell Security Awareness Internally Another important initial step toward enterprise security is to get upper management and senior officers on board with the program by showing them how an effective training program can positively affect the organization’s bottom line. Show senior management a cost/benefit analysis that includes an estimate of how much money the organization loses each year due to security breaches. If possible, show how the root cause of many of these breaches was caused, in part, from human behavior. In conjunction with the design, the task force should consider branding issues to ensure that employees associate the program materials with the organization. Additionally, this group will need to determine the look and feel of all materials (for instance, online materials, printed copies, videos and presentation materials) and establish how they will implement the training. Implementing the Program Employees need to clearly understand their role as it pertains to each security policy. If employees understand the importance of their role in keeping the organization’s data secure, they are more likely to alter their behavior and think twice about opening a questionable e-mail attachment. Therefore, the training program is critical, because it explains the organization’s security policies and the necessity for implementing these policies. Using security industry best practices as the basis for the content of the training program will ensure that companies are addressing security concerns with proven methods. Once employees have a basic understanding of security policies, they can apply simple steps to help them protect the organization’s information. A security awareness program enables organizations to improve their security posture by offering employees the knowledge they need to better protect the organization’s information through proactive, security-conscious behavior. Once these costs are understood, it is easier to demonstrate how training or education programs can help prevent, or at least reduce, costs associated with these threats. If senior management is shown the value of the program, then they are more likely to approve and support it. When presenting the case for these programs, it is important to emphasize that while these security incidents are damaging, employees can help prevent many of these vulnerabilities. Designing the Program As with any program, the success of a security awareness program will rely heavily on how the information is delivered. Security awareness training should be incorporated into new employee orientation, as well as special training sessions by department, while executives and managers may be more receptive to training that is incorporated into regular management meetings. A good way to reinforce what has been learned is to offer rewards and positive feedback to employees for improving their security behavior. Rewards can be presented to individuals or companywide. Announcements can be made through company newsletters or mass e-mails that show employees a comparison of statistics from before and after the training. Seeing that others in the company are making the effort to become more security conscious will further encourage employees to continue good security behavior. No matter the scope of the program, employees are an asset to any organization’s security posture. The more businesses define them as such — and the more training they receive on security initiatives — the more secure an organization’s data and information will become. As organizations continue to implement and reinforce training programs, they will continue to see an increase in both security and employee productivity. Luis Navarro is a senior consultant of security awareness practice for the Symantec Corporation. He can be reached at editor@TalentMgt.com. An effective security program brings together a team of personnel from a broad range of departments in the organization, including IT and physical security, human resources, accounting, legal, marketing and internal communications. Having input from various sources within the organization will help to produce a complete security program for the entire company, with specialized messages and delivery methods for each department. The program design requires the development of a significant amount of documentation, including: • High-level charter that explains the program’s objectives • High-level design that defines current security issues and how they will be addressed • Detailed documents that describe how the program will be implemented, managed and measured December 2007 46 talent management magazine www.TalentMgt.com http://www.TalentMgt.com

Table of Contents Feed for the Digital Edition of TM - December 2007

Talent Management - December 2007 Editor's Letter Contents Letters to the Editor Human Performance Leading Edge Capabilities The Engaged Difference: What People Want Analytics in Talent Management: The Sports View The Use of Merchandise for Employee Recognition Taking Aim at Performance Appraisals Talent Management Drives Organizational Change Generational Diversity: Mastering the Boomer-X-Y Divide Dashboard: Security-Savvy Workforce: Designing a Security Awareness Program That Works Application: Hilton Hotels Corporation:Checking Out the Merits of Paperless Efficiency Insight: Unlimited Engagement: Innovative Corporate Communication at Deloitte & Touche USA Advertisers' Index Editorial Resources Foundations

TM - December 2007

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.