cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
GWillmot
Viewer II

Teaching Employees about Information Governance

Hello, all.

 

For many of us, cybersecurity is so often about teaching and training others how to operate securely.

 

I'm finally in a position where I'm moving away from our Security Awareness Training sessions be exclusively about phishing, social engineering, and attack demos. Instead, we're going to introduce the employees and management to topics of Information Governance with examples tailored to our company.

 

In our industry, we're heavily focused on data analytics, so 100% of the workforce is in some way responsible to the Confidentiality, Integrity, and Availability of our data. Right now, I'm just trying to establish a common language, knowledge base, curiosity, and interest to get everyone talking and realizing the assets we have and the importance of protecting them.

 

I'm curious where other people have found success (and failures!) when training people on this area: What worked, what didn't, what tips can we share?

 

Thanks!

./g

./g
1 Reply
JoePete
Advocate I


@GWillmot wrote:

I'm curious where other people have found success (and failures!) when training people on this area: What worked, what didn't, what tips can we share?


When it comes to GRC, compliance is probably the easiest concept to get across. Part of that is HR (or someone else) has been doing that paperwork for years. Governance and Risk are harder concepts and they really have to be top-down. My experience is the best chance at effectiveness is spending the money and bringing in an outside consultant to look at and explain governance. You really need to delineate the strategic role (i.e., the board) from the executive/operational one (management). If a board gets that, then policy, guidelines, and procedures make more sense. It's hard to do that from inside though.

 

The challenge with Risk is the process. It is a strategic decision (meaning a board should be involved somewhere) but to make an accurate calculation, it has to be done at a pretty detailed operational level. That might happen once - a risk analysis that feeds to a board. However, risk is a moving target these days. In my view, you need a really well-defined process that moves from data to calculation to actionable intelligence for the decision-makers (including whether something should hit the board or just management), but it also has to allow anyone in that process to throw up a red flag when new information comes to light. I think hat also helps people into the process; they feel like their input is important.