How to Integrate People, Processes and Technology

In today's interconnected marketplace and global economy, information assets are at greater risk than ever before. Symantec Vice President Paula Hamm writes that security incidents have become increasingly more devastating and expensive, not to mention public. Recovering from data loss can have an immeasurable impact on an organization's reputation, business operations and ultimately, its bottom line.

/images/stories/70x50/bug_knowledgecenter_70x70_(2).jpgAs organizations continually increase their dependence on IT systems to conduct business, mitigating IT risk has become a top priority. But effectively managing IT risk is no longer a matter of only addressing technology-it's now about integrating people, processes and technology. The effectiveness of even the best technology and processes is frequently undermined if employees do not understand both the value of the organization's information assets and their role in securing these assets.

With so many security threats on the horizon, it's comforting to know that the strongest security asset is already inside the company. Successfully protecting information assets requires employees at every level-from the top down-to obtain a basic understanding of the security risks, policies and technologies implemented to help mitigate those risks, as well as their respective responsibilities in protecting the company's assets.

When it comes to managing IT risk and creating a highly reliable organization-or one that has zero IT failures-technology plays a crucial role. Enterprise software products work very well, but to complete the equation, people and processes should also be addressed. A recent study conducted by IDC showed that well-trained teams were twice as likely to properly protect their PCs from security threats and were 60 percent more likely to successfully complete backup jobs. This proves that, while processes for routine events are critical and can help ensure that mistakes don't happen, it's the people who help ensure that the right things happen.

Human operators are often the most essential part of any equation. When the human side of the equation breaks down-due to insufficient expertise, lack of experience or inadequate process design-IT systems fail. But, with proper education and training, employees can become an organization's strongest line of defense and its most valuable security asset.

Security education and training also helps organizations improve their security posture by offering employees the knowledge they need to better protect the organization's information through proactive, security-conscious behavior. To successfully protect information assets, employees at every level of the organization require a thorough understanding of security policies, as well as their respective responsibilities in protecting these assets. Additionally, technical product training helps the IT personnel ensure that they properly implement and manage their technology and optimize its functionality to better protect the organization.

Implementing a security awareness training program can improve application and infrastructure security and enhance security incident handling and response. Once employees have a basic understanding of security policies, they can apply simple steps to help them protect the organization's information.

To be effective, a security awareness program must be ongoing and include continuous training, communication and reinforcement. A one-time presentation or a static set of activities is not sufficient to address the ever-evolving threats to the security landscape. The key messages, tone and approach must be relevant to the audience and consistent with the values and goals of the organization.

Equally important, an awareness program must influence behavior changes that deliver measurable benefits. Merely providing security awareness training is not enough. Organizations need to know if training programs have been successful in changing behavior. Measuring the program's effectiveness requires metrics to be set in place from the start. Not only do metrics help establish a baseline of individual and organizational competencies in enterprise security, but they help identify gaps in current training initiatives that should be remedied. They also improve the methodology and content of training programs. Measuring training effectiveness can also prove useful in validating the competency of the training entity itself.

As with any program, the success of a security awareness program will rely heavily on how the information is delivered. Security awareness training should be incorporated into new employee orientation, as well as special training sessions by department - while executives and managers may be more receptive to training that is incorporated into regular management meetings.

A good way to reinforce what has been learned is to offer rewards and positive feedback to employees for improving their security behavior. Rewards can be presented to individuals or companywide. Announcements can be made through company newsletters or mass e-mails that show employees a comparison of statistics from before and after the training. Seeing that others in the company are making the effort to become more security-conscious will further encourage employees to continue good security behavior.

Designing a comprehensive set of computer-based training, seminars and other live training experiences, and communication tools, can all be part of a security awareness training program. But, to save time and be more efficient, organizations can also find outside help from industry veterans in the design and implementation of their training program.

/images/stories/heads/hamm_paula70x70.jpg Paula Hamm is vice president of Symantec Education Services. In this role she is responsible for the development and delivery of technical training to help customers maximize their investments in Symantec software, as well as custom learning services and IT best practices education.

Previously, Hamm was vice president of product management for Symantec Global Services. Prior to joining Symantec, Hamm held product management positions for various security product lines with Axent Technologies. In this capacity, Hamm developed the strategy for a new security management initiative, managed network scanning and Unix security tools. Before that, Hamm was the manager of systems engineering at Software AG. She has also held positions in systems engineering and database administration with EDS.

Hamm has a Master of Science from the University of Maryland and a Bachelor of Science in computer science from the University of Dayton. She can be reached at