Most threats are well known and re-occur frequently. Every stakeholder from end-users to senior management and the board of directors needs to know the current top threats against your company and what you are doing to stop them. Some of the threats you face, like social engineering, can only be stopped by educating the people in your company. So the ability to communicate is often the thing that separates a great IT pro from a mediocre one.
Communication is an essential IT security professional skill. But you can’t simply rely on your charming personality because communication happens through a variety of methods including: face-to-face conversation, written documentation, emails, online learning modules, newsletters, tests, and simulated phishing.
Every good IT pro needs to be able to clearly and effectively communicate using verbal and written methods. When appropriate, she knows how to create or purchase the needed education and communication vehicles. No matter what technical controls you deploy, every year something will make it past them. So, make sure your stakeholders are prepared. At the very least, the following items should be covered in your education program:
- The most likely, significant, threats and risks against the organization
- Acceptable use
- Security policy
- How to authenticate and what to avoid
- Data protection
- Social engineering awareness
- How and when to report suspicious security incidents
Looking for some hands-on, practical information security education advice? Check out “Ways to improve security education in the New Year” at CSO Online.