- Email: [email protected]
Read my lips
r e v i e w
Read my lips Charles P Pfleeger Rebecca Herold, Managing an Information Security and Privacy Awareness and Training Program, Auerbach Publications, 2005, 515 pages. ISBN: 0849329639 he title says it all—if you read carefully. This book is about managing a training program. The training program is about information security and privacy, but the subject matter is not the book’s real strength. Instead its power lies in its well-thought-out, detailed and even innovative approach of how to manage the programme.
Herold discusses ways to stretch a smaller budget to cover larger needs by, for example, partnering with other training areas, buying generic training materials and adapting them for in-house use, tapping in to external grants, bartering inside and outside the organization, collaborating with local universities, and eight other suggestions.
Suppose you recognize a need to push for security and privacy in your organization. You know the first step is to sell the idea to senior management, and you can probably reel off the standard justifications for such a program: complying with laws and regulations, protecting corporate assets, preventing legal action, preserving the corporate reputation, etc.
You may find many of her suggestions unworkable in your situation, but the list is long enough to give you some ideas that just might work, or at least kick-start your own lateral thoughts.
T
Your bosses know these things, too, but they have to judge many competing appeals. So, as in any sale, you need a hook: their reason to buy your idea over others’. Herold gives us two very valuable hooks. First, she expands the usual justifications into precise lists of regulations, customers’ expectations, fiduciary and governance requirements, components of reputation, and so forth. And each of these becomes a list of points to consider. These are not vague, but concrete. She details eight items that regulators examine, 12 expectations that customers have, eight aspects of due diligence, and 28 factors that affect corporate reputation. And this doesn’t include the 17 laws she summarizes.
Infosecurity Today March/April 2005
From these 73 points you should be able to find three or four (or three dozen) that will snag your bosses’ close attention. The second hook is the realism with which she writes. It is easy for us as security professionals to view security as the most critical issue facing our employer. Too often we prepare a case in that light, pleading for some large amount of resources (to do the job right), only to be crestfallen and dismayed when our proposal is rejected or watered down.
The book is full of lists: modes of training, steps for getting started, tips for trainers, ways to evaluate effectiveness. Lists can be superficial, mind-numbing devices for weak authors. But Herold has plenty of experience, so her lists come alive. Her 142 (yes, one hundred forty-two) motivation methods are motivating themselves. Who would have thought of asking the cafeteria to create cupcakes with a privacy or security mascot or logo? Or of inserting a security pamphlet in employees’ pay envelope? Posting a privacy or security awareness tip in the banners of specific applications, such as the timecard or travel expense screen? Giving travellers first aid kits labelled “to ensure healthy information security and privacy”? Sponsoring sports teams or local community events in the name of security and privacy? Even though I have come across many of her ideas before, I found myself reading all the lists, just to see what’s new. The book itself takes the reader from a good idea (security and privacy training) through refining the idea, selling it to management, getting started, choosing from the 59 topics to address, and evaluating effectiveness, in 375 pages. Herold follows this with 125 pages of appendices. These include sample forms, a sample sponsorship memo, five possible security and privacy awareness mascots,
a training and awareness inventory, an education costs worksheet, a consumer privacy pop quiz, and 15 case studies. When I began this book, I had misread, or misinterpreted, its title. I expected to learn more about the issues in security and privacy. Other than some detail (such as the précis of 17 laws dealing with different aspects of security and privacy), I found little about IT security that I did not already know. I believe the cover misled me. Here, and on the book’s spine, the words “managing” and “program” are in the smallest type, and “information security” and “privacy” are largest. But we all know you should not judge a book by its cover, and certainly this case here. This book is very much about managing a programme, an objective it meets very well. I have to agree with the author’s approach. Most of us in the security trenches know the technical parts of our field very well. We have risen to our positions because we can configure firewalls, implement WEP encryption, code non-overflowing buffers. But many of us have little experience managing training programs. So although we are subject matter experts, we are less expert at communicating that subject matter, and even less so at managing people. This book addresses precisely that gap clearly and thoroughly. If your organization needs a security and privacy training program and it’s your responsibility, you should read this book. It will help you implement a program that will be a success with both your target audience and your management.
•
Dr Charles Pfleeger, CISSP is an international consultant, author, and lecturer on computer and information system security. With over 30 years’ experience in computing, he has advised high profile companies and government agencies on technical and administrative ways to address specific security risks. He is a Certified Information Systems Security Professional.
54
Read my lips Charles P Pfleeger Rebecca Herold, Managing an Information Security and Privacy Awareness and Training Program, Auerbach Publications, 2005, 515 pages. ISBN: 0849329639 he title says it all—if you read carefully. This book is about managing a training program. The training program is about information security and privacy, but the subject matter is not the book’s real strength. Instead its power lies in its well-thought-out, detailed and even innovative approach of how to manage the programme.
Herold discusses ways to stretch a smaller budget to cover larger needs by, for example, partnering with other training areas, buying generic training materials and adapting them for in-house use, tapping in to external grants, bartering inside and outside the organization, collaborating with local universities, and eight other suggestions.
Suppose you recognize a need to push for security and privacy in your organization. You know the first step is to sell the idea to senior management, and you can probably reel off the standard justifications for such a program: complying with laws and regulations, protecting corporate assets, preventing legal action, preserving the corporate reputation, etc.
You may find many of her suggestions unworkable in your situation, but the list is long enough to give you some ideas that just might work, or at least kick-start your own lateral thoughts.
T
Your bosses know these things, too, but they have to judge many competing appeals. So, as in any sale, you need a hook: their reason to buy your idea over others’. Herold gives us two very valuable hooks. First, she expands the usual justifications into precise lists of regulations, customers’ expectations, fiduciary and governance requirements, components of reputation, and so forth. And each of these becomes a list of points to consider. These are not vague, but concrete. She details eight items that regulators examine, 12 expectations that customers have, eight aspects of due diligence, and 28 factors that affect corporate reputation. And this doesn’t include the 17 laws she summarizes.
Infosecurity Today March/April 2005
From these 73 points you should be able to find three or four (or three dozen) that will snag your bosses’ close attention. The second hook is the realism with which she writes. It is easy for us as security professionals to view security as the most critical issue facing our employer. Too often we prepare a case in that light, pleading for some large amount of resources (to do the job right), only to be crestfallen and dismayed when our proposal is rejected or watered down.
The book is full of lists: modes of training, steps for getting started, tips for trainers, ways to evaluate effectiveness. Lists can be superficial, mind-numbing devices for weak authors. But Herold has plenty of experience, so her lists come alive. Her 142 (yes, one hundred forty-two) motivation methods are motivating themselves. Who would have thought of asking the cafeteria to create cupcakes with a privacy or security mascot or logo? Or of inserting a security pamphlet in employees’ pay envelope? Posting a privacy or security awareness tip in the banners of specific applications, such as the timecard or travel expense screen? Giving travellers first aid kits labelled “to ensure healthy information security and privacy”? Sponsoring sports teams or local community events in the name of security and privacy? Even though I have come across many of her ideas before, I found myself reading all the lists, just to see what’s new. The book itself takes the reader from a good idea (security and privacy training) through refining the idea, selling it to management, getting started, choosing from the 59 topics to address, and evaluating effectiveness, in 375 pages. Herold follows this with 125 pages of appendices. These include sample forms, a sample sponsorship memo, five possible security and privacy awareness mascots,
a training and awareness inventory, an education costs worksheet, a consumer privacy pop quiz, and 15 case studies. When I began this book, I had misread, or misinterpreted, its title. I expected to learn more about the issues in security and privacy. Other than some detail (such as the précis of 17 laws dealing with different aspects of security and privacy), I found little about IT security that I did not already know. I believe the cover misled me. Here, and on the book’s spine, the words “managing” and “program” are in the smallest type, and “information security” and “privacy” are largest. But we all know you should not judge a book by its cover, and certainly this case here. This book is very much about managing a programme, an objective it meets very well. I have to agree with the author’s approach. Most of us in the security trenches know the technical parts of our field very well. We have risen to our positions because we can configure firewalls, implement WEP encryption, code non-overflowing buffers. But many of us have little experience managing training programs. So although we are subject matter experts, we are less expert at communicating that subject matter, and even less so at managing people. This book addresses precisely that gap clearly and thoroughly. If your organization needs a security and privacy training program and it’s your responsibility, you should read this book. It will help you implement a program that will be a success with both your target audience and your management.
•
Dr Charles Pfleeger, CISSP is an international consultant, author, and lecturer on computer and information system security. With over 30 years’ experience in computing, he has advised high profile companies and government agencies on technical and administrative ways to address specific security risks. He is a Certified Information Systems Security Professional.
54