We all went to school, but how would you do if you were asked to retake your finals? Neither would I. Education fades unless it is regularly reinforced. And even the reinforcement is liable to go 'on autopilot' and lose its effect. Security needs to become an ingrained habit to truly work, and that means it needs to be part of your company culture.
Some organizations have a strong security culture, others not so much. Those are the ones you will find in the story below: 'The Worst Security Snafus Of 2012 - So Far'. If the company as a group does not care much about security, that reflects in everyone's behavior including IT's approach to security and compliance, whether they like it or not. IT in those cases often does not get the budget to do it right.
Ideally, you need a security culture driven from the top down which makes sure that institutional security knowledge gets documented, retained, drilled into new employees during their onboarding, and from there on kept alive by training, events, reminders and regular security audits that will have repercussions if someone fails.
Only then the general consensus and necessity level will be high enough to make your organization a hard target that is too expensive to attack.
Some organizations have a strong security culture, others not so much. Those are the ones you will find in the story below: 'The Worst Security Snafus Of 2012 - So Far'. If the company as a group does not care much about security, that reflects in everyone's behavior including IT's approach to security and compliance, whether they like it or not. IT in those cases often does not get the budget to do it right.
Ideally, you need a security culture driven from the top down which makes sure that institutional security knowledge gets documented, retained, drilled into new employees during their onboarding, and from there on kept alive by training, events, reminders and regular security audits that will have repercussions if someone fails.
Only then the general consensus and necessity level will be high enough to make your organization a hard target that is too expensive to attack.
