Section 18: Training
Training takes money. Management would rather hire previously trained individuals. Ongoing projects cannot be interrupted for the sake of training. All these are valid points, but do not solve the problem that if people are not trained to address a problem, that problem will not be addressed. In the area of information security, lack of training of system administrators and lack of awareness by users exposes the organization to an increased security risk. The risk can directly translate to loss of revenue due to system or network downtime, data loss and unavailability, and negative impact on corporate image. Since companies often do not take information security seriously, training in information security is taken less seriously. The bottom line is - if you don't train your staff on information security, it will not be implemented effectively nor enforced.
INFOSEC Best Practice #189
Train staff and upper management on the importance of information security to the operation of their organization.
One of the major reasons for poor information security is that most upper management believes that the risk is very low that their systems will be compromised via external attack. System administrators who do believe that INFOSEC solutions need to be implemented and go to management for approval of expenditures are often rejected. The common thought is that if it hasn't happened up until now, it is unlikely to happen in the future and therefore there are more pressing problems to be addressed first.
INFOSEC Best Practice #190
Train users on Best...