The Information Security Awareness Forum (ISAF) was commissioned by the advisory board of the Information Systems Security Association (ISSA) and is comprised of professional IT bodies such as the British Computer Society (BCS), Information Seecurity Forum and the Institute of Information Security Professionals (IISP).
Security awareness is seen as one of the key contributors to firms' security failures, so the ISAF will aim to utilise the significant resources of its member organisations to produce clear and consistent messages around IT security, according to ISAF chair David King.
"The difficulty we grappled with is how to do something different in this space when everybody is doing something else? There are a lot of overlaps and conflicting messages but also a lot of gaps to fill," he explained. "We do it by not reinventing the wheel – we recognise that everyone has a message but we can coordinate that across the industry to make a difference."
On such example is the coordination work the ISAF is undertaking to ensure a new resources portal from InfoSecurity Europe, christened the InfoSecurity Advisor and due to launch in April, doesn't overlap with existing sites like Get Safe Online.
Other forthcoming deliverables from the new organisation include a public awareness raising campaign to coincide with the InfoSecurity Europe event in April, as well as a new security guide for directors detailing what measures they need to take to protect their organisations.
The guide could raise the issue of information security prominently among parliamentarians too, argued Philip Virgo of the European Information Society Group (Eurim).
"If it puts the issues in a business context that could be very powerful in getting action at a political and corporate level," he added. "If the guide shows external good practice it [could become] a yardstick to hold up in parliament."
Chris Potter, a partner at PricewaterhouseCoopers who leads the annual Information Security Breaches survey, said that the ISAF could play an important part in helping those organisations that have been successful in improving security awareness share their best practice with others.
"There has been an enormous amount of learning and progress among the leading [organisations] which has been a challenge because … information security awareness is not really about awareness but changing behaviour, which is very hard," he added.
Kim Camman of mobile device encryption firm SafeBoot welcomed the initiative but said businesses and government organisations must also fulfill their responsibilities to educate users.
“Organisations have often relied on blanket emails to implement security awareness initiatives. However, we have all been guilty of deleting that ‘internal email from corporate IT’," Camman added. "It should be obvious by now that this communications method alone falls short of changing behaviours surrounding data security."
Security awareness-raising forum is launched
By Phil Muncaster on Feb 13, 2008 11:34AM