How to Cheat at Managing Information Security

This is all great stuff, but how do you get people to be interested enough to comply with the security rules? A carrot-and-stick approach is best.
First, you need to make it as easy as possible to follow your company policies. That means, as in our examples, you need to give the technical staff no room for doubt. You need to make them sign up to a standard that is practical. Then for all classes of users, you need to run a security awareness program to make sure everyone understands that they should comply.
Second, there is the stick. This means automated compliance audits and active enforcement. That could mean you being a mean person, but rules are rules.
Information security is all about people. If people understand and appreciate the dangers and risks associated with mismanaging information, the exposures become measurably reduced.
Awareness programs differ from organization to organization. A very formal investment bank will require a different technique from an Internet technology company. However, here are some tips that should work in both environments:
Best to get them when they are fresh Most companies have an induction process whereby they give new employees pension details and show them where the toilet is. Try and get information security included in the induction process. My last few organizations offered:
A short (one hour) first day induction session by HR Get a five-slide show together on passwords, viruses, and...