Apparently, there is "data breach fatigue" out there and recommendations on cutting down security education, training, & awareness (SETA) is gaining traction.
The question comes with to scale back SETA activities due to this fatigue?
The answer is based on the maturity of the information security (InfoSec) program, jurisdiction / market, industry, and the organization's culture. Frankly, a CISO / CIO / CTO should negotiate freedoms (e.g., local administrative access, open Internet / Web / email access) pursuant to SETA. Meaning, that if users have carte blanche then SETA is required, necessary, and regularly conducted.
Also, less SETA should equate to more budget for preventive / detective capabilities.
No comments:
Post a Comment