on January 25, 2011
This book is a must-read for anyone building an information security awareness program. Ms. Herold lays out a fantastic game plan for security awareness for not only the sake of information security, but to meet regulatory compliance as well. For me, this book was used as a reference guide. When I was tasked with developing and improving upon an already existing security awareness program, I used many tactics right from this book. The concept of measuring the effectiveness of the program throughout is woven throughout this book. Being able to show the effectiveness of an information security awareness program is important in the best of times, but as budgets shrink metrics become absolutely critical.
on April 14, 2011
Rebecca Herold is one of the leading authorities and experts on privacy and information security awareness training. What sets her apart beyond her extensive background in computer science is that of an educator. She is particularly focused on the adult learner and what motivates them. Unfortunately, Privacy and Information Security Awareness training is too often relegated to security specialists who typically do not have a clue on how to effectively develop or manage a program for training users. Treated as just another policy or regulatory mandate that needs to be checked off, it's tasked to an already overburdened security professional. No wonder what often develops is a generic program with no relevance to the organization or the employees role. Or even worse, a "Death by Powerpoint" slideshow masquerading as training.
With all that said, it's understandable. Given today's budget constraints and other demands it's not always possible to develop an awareness program tailored to your organization and its particular users and needs. However, responsible organizations still need to perform the due diligence necessary to evaluate the most appropriate options and deliver the best program possible. If you are committed to this goal there is no better resource than Managing an Information Security and Privacy Awareness and Training Program by Rebecca Herold.
While Ms. Herold does not provide detailed content on privacy and information security awareness (although the book is overflowing with references to such material) it does provide an incredibly comprehensive framework for developing and managing a program. It is broken down into 19 chapters and 22 appendices that provide relevant and detailed information on all aspects covering the why, what and how of managing an awareness program. Some key chapters include:
- Why Training and Awareness are Important (provides solid arguments in justifying a comprehensive program)
- Get Executive Support and Sponsorship
- Define Your Message
- Common Corporate Education Mistakes (must reading!!)
- Getting Started (excellent roadmap for any organization)
If you're looking to buttress an argument that privacy and information security awareness training is useful in reducing security incidents, the information in chapter 3 that outlines specific legal and regulatory requirements for doing so will drive your point home.
Although the book is comprehensive, it also serves as a useful quick reference. For instance, in chapter 14 on "Awareness Materials Design and Development" she includes over 250 Awareness ideas - from inviting guest speakers to talk about information security, to creating special fortune cookies with an information security awareness message. This list alone is worth the cost of the book for many organizations trying to come up with new and clever ideas to raise awareness.
Lastly, while this is not a book you will download to your Kindle for a read at the beach, it is very clear and well written. I did not find any significant errors, omissions or outdated information, which unfortunately is all too rare these days in books of this kind.
Forget trolling through myriads of blogs, magazine articles, websites and fluff-filled books. This book is the resource you need.
on January 1, 2006
Rebecca Herold introduces her own book very eloquently: "I wrote this book to provide a starting point and an all-in-one resource for information security and privacy education practitioners. I incorporated much of the information and knowledge I obtained while working on my MA in computer science and education as applicable to providing education to adult learners. Additionally, I included the same type of information that I have used and found helpful over the years when creating awareness and training programs ... My goal was to provide a more comprehensive resource of everything involved with managing an information security and privacy training and awareness program than I had been able to find - a reference for practitioners to go to when implementing any part of their education program and get ideas that will help them be successful with their own program."
The book explains the techniques for raising awareness and training employees on a wide range of information security and privacy topics. The entire `lifecycle' of a security awareness program is covered: program initiation - gaining executive sponsorship and support for the value of, and necessity for, a security and privacy awareness program (e.g. to satisfy legislative and regulatory compliance obligations); program design, delivery and execution - identifying target groups and topics to cover, methods of delivery/communications including motivational techniques, sources of awareness materials etc.; program management and review - hints about planning, controlling and evaluating an ongoing (rolling, continuous) security and privacy awareness program, ensuring that it remains on-track and effective.
As well as numerous changes throughout the text, the 2011 second edition incorporates a thought-provoking collection of `leading practices' i.e. short papers from `some of the most successful information security awareness and training practitioners' (besides Rebecca!), bringing the book bang up to date with current thinking. [Disclaimer: I wrote one of them]
Rebecca is extremely well qualified to write about security awareness. With long experience in the field, she has designed, built and delivered prize-winning security awareness programs, and has authored numerous books and articles. An MA in Computer Science and Education lends weight to her emphasis on providing educational materials to suit adult audiences rather than simply adopting techniques more suited to teaching schoolchildren.
At over 500 pages, this is no lightweight superficial textbook. As noted above, the coverage is comprehensive. Just for examples, the list of potential information security topics runs to 60 items explained in 18 pages. The coverage is reasonably even throughout with plenty of meaty content in every section. I can't think of any substantial improvements.
The book may be overwhelming to someone just starting out on their information security and privacy awareness program. The chapter on `Getting started' is a great place to start, with details of how to identify key contacts, review the organization's existing approach to awareness and training, and a handy road-map that would serve as a good starting point for a high level project plan. The book is essential reading for more experienced information security professionals, especially those tasked with `doing awareness'. Even seasoned security awareness practitioners like me will learn new things from this book: my first edition of the book is certainly well-thumbed.
Rebecca's writing style is engaging and stimulating, easy to read yet at the same time thought-provoking. The book is chock-full of good ideas, not just theoretical concepts but solid practical advice that can be put to use immediately. A side effect is that there are lots of lists, tables and bullet points but they are well structured and succinctly summarize the key points. When I'm stuck for awareness ideas, I know I'll almost always find something immediately useful in one or other of the lists: it's an excellent reference text.
Extensive appendices (130 pages) include sample awareness materials and plans, a security glossary, various checklist/questionnaires and references.
Conclusion: this is the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, I recommend it unreservedly.
on June 23, 2011
There is one individual who always has our security and privacy interests first and foremost: Rebecca Herold. Recognized as one of the "Top Influencers in IT Security," one of the "Best Privacy Advisors in the World," and holder of five professional certificates (CIPP, CISM, CISA, CISSP, FLMI), Rebecca is an internationally-known author, blogger, instructor, and consultant specializing in information security, privacy, and compliance.
Rebecca's book, Managing an Information Security and Privacy Awareness and Training Program (2nd Edition) is the definitive read on the subject, but it isn't just for infosec professionals. It offers a wealth of data for professionals in all business units in addition to techies because as Hal Tipton wrote in the foreword, "Information security is now realized by many experts to be more of a people problem than a technical one."
The key is that information security and privacy awareness must become part of an individual's job - something that becomes second nature like effective time management practices. When employees become lax or leaders stop focusing on the importance of information security and privacy, well, we don't want to remind ourselves what happened recently with Epsilon, Sony, Sega, and Citigroup
Also, the information must be clear and engaging. If it is complex, employees will avoid reading the information like the plague. As Rebecca suggests, "Make it easy for personnel to get security and privacy information, and make the information easy to understand...[And] the most important aspect to remember is that security awareness is ongoing and not just an event to do once." Bottom line: make information security and privacy awareness training a regular occurrence.