ANY COMPANY THAT wants to ensure the highest levels of security is likely to find that the biggest challenges involve company culture and organisation, rather than technology implementation.
In a report entitled 'How to manage an information security awareness programme', analyst Rich Mogull of technology research firm Gartner said: 'IT security managers must create clear, enforceable security policies and lead by example to promote a 'security-aware' corporate culture ... Employee education and accountability will be key components of the programme.'
Mr Mogull recommends that companies create a concise security policy and make employees sign them to ensure accountability. He said the policy should include areas such as acceptable usage, remote access, information classification and privacy, and password management.
Once the policy has been drawn up, companies are recommended to introduce education programmes to increase security awareness among employees. 'Education is a critical element of information security awareness. It's difficult to be aware of security incidents if you don't know what the issues are,' he said.
He recommends dividing education into two parts: company policies and how to protect yourself.
'Employees should understand why security is important and how it affects the health of the company and their work ... All employees should understand that their personal efforts make a difference.'
Meanwhile, in a separate report entitled 'IT security and operational management must converge', Gartner recommends greater co-operation between the IT security and IT operations teams to ensure security needs are met in large enterprises.