Information Technology
Building an Information Security Awareness Program
So, you have just been named information security officer for the corporation. Please allow me to be the first to congratulate you on your good fortune and the company’s wisdom in selecting you for the position. They have made an excellent choice and you have shown that you can do the job. The only thing left to do is to define the job and reconvince the people who hired you that the function actually requires their interest, cooperation, and yes, even funding. What you are embarking on is the most frustrating role in current information systems (IS) staffing. You will be expected to do big things with minimal staff, low budget, and only grudging compliance by those all the way up to your own overall department. You will be asked to change habits as old as the company and protect against on-going and on-growing threats with single decisive strokes and little interest in evolving your solutions as the enemy evolves. You will be subjected to auditors’ inquiries and “tsk, tsks” when they discover issues that you know exist, but cannot make the time or come up with the money to resolve. (Later on in this book, we will talk about making the auditors your allies and turning their findings into advantages.) You will be summoned by senior management — either directly or through the command chain — when one of them has finally heard or read about a threat you have been losing sleep over for the past 15 months. They will immediately demand to know what you are doing about it and how soon a remedy can be in place. Then, having demonstrated their concern, they will quietly return to the paneled offices and, most likely, will never bring up the subject again, congratulating themselves on the discovery and how they mobilized the organization for remedy, retaliation, mitigation, and so on (choose the word you like best) against the threat.
No copy data
No other version available