privacy expert, security awareness training, security metrics, compliance, inadequate security, hipaa compliance, sox compliance, healthcare compliance
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.

Watch this Blog Notify me by e-mail any time a new post is made to this blog.

Subscribe to this Podcast
via iTunes!

A series of audio sessions to help you get the most out of the Streetwise Security Zone

Streetwise Safe Web Surfing - Audio Training Program (1 hour)
Product ID: 00000003

Learn how to avoid loss of time and money caused by computer infections and the many online risks you face every day at work and at home. With all of the risks associated with Web Surfing these days, you really need a simp ... More »

Non-Member Price: $199.00 $189.00

March 2009 Posts


  The Streetwise Security Zone Podcast
Blog Entry

005 Privacy and Security Awareness Training with Guest Rebecca Herold

Wednesday, March 18th 2009 @ 6:39 AM (not yet rated)    post viewed 6330 times

click to download this audio file

Get a glimpse into the real-world problems of privacy and security awareness training from this episode’s featured guest, Rebecca Herold, (AKA PrivacyProf on Twitter). The following notes correspond to the content in this episode of The Streetwise Security Zone Podcast.

You can listen to the podcast while viewing this page in The Streetwise Security Zone website by clicking on the "Play" icon in the player widget above, or you can download it by clicking on the "Down Arrow" at the left side of the widget. It's also available through iTunes via the iTunes link in the left hand column in The Streetwise Security Zone Podcast page of the website. Note that the times identified below represent absolute times on the timeline, not durations.

Editor's note - I apologize in advance for the ambient noise during parts of my interview with Rebecca. This is not the usual sound quality of my podcasts, but I didn't realize it until after we had finished our call. I tried to clean it up, and replaced some of my interview questions with better recordings in some places near the end.

Introduction - 0:00

The introduction gives a brief run through the topics covered in this podcast.

Today’s show features a discussion with Rebecca Herold, the Privacy Professor. Rebecca does a lot of teaching and consulting on the topics of privacy and security awareness. She’s written a number of books, and has a blog that she posts to on pretty much a daily basis. You can see her latest headlines right from the front page of The Streetwise Security Zone at

Security News - 1:20


The Heartland credit card breach involved almost 100 million credit cards. That’s more than twice the number involved in the TJX breach of two years ago.

Ponemon’s 2008 Annual Report on Costs of Data Breaches

The Ponemon Institute recently issued their 2008 report on the Cost of Data Breache in which they studied over 40 companies that had data breaches and did some interesting analysis to determine causes and costs.

Whether you think their average cost of just over "$200 per affected data record" is relevant to your business, there are some other bits of information in this report that most certainly are of interest to all of us.

Their statistical analysis appears to support my assertion that security awareness is the low-hanging fruit with the best ROI for their security budget.

The Ponemon report is worth the read and is free. Here’s a link where you can download the report:

Streetwise Security Zone site news - 4:15

The Honey Stick Project - We just passed 60% of devices being used.

Safe Web Surfing - Audio book available, with deep discount for SWSZ members.

Facebook Privacy and Security Guidelines - NEW audio book now available, also discounted for SWSZ members.

Risks in the News - 8:20

With tough economic times usually comes a wave of scams that target people who are most in need of hope. Unfortunately, we are seeing a rise in telemarketing scams that try to convince people that they have been approved for a government grant related to the "stimulus package". Of course they charge a “processing fee”, or ask for "personal or private information" that could be used for Identity Theft, which is how they make their money.  The hoax -breaking site,, has a good summary of the things to watch out for. -money-during-a-recession-are-usually-too-good-to-be-true.html

Product Review - The Sandisk Cruzer Enterprise secure USB Flash Memory Stick Solution - 9:20

I recently posted a review of the Sandisk Cruzer Enterprise USB Flash Memory at: nDisk-Cruzer-Enterprise.html

I found this to be a very strong solution for not only protecting against "data leakage" through the use of hardware-based encryption, but also for managing the lifecycle of mobile data and USB Flash Drives that travel outside the protection of the organization.

Q&A Feedback - 11:20

I invite you to send me an email at or call and leave a voicemail message at 613-693-0997 with your comments or questions about security awareness, or any topic you care to discuss.

I’m also interested in hearing from you to find out how you heard about The Streetwise Security Zone Podcast, what you like about it and how it is helping you; or if it’s not helping you. It doesn’t have to be a positive comment, either. I want to make this podcast useful to as many people as possible, and I value your input.

Conversation with Rebecca Herold - 12:30

- Introduction to Rebecca Herold, The Privacy Professor.

- The disturbing trend of cutbacks leading to greater risks.

- The need to do initial organizational assessments before applying security controls

- Security inadequacies stemming from a “compliance” mentality

- How technology-oriented business drivers are leaving security and privacy considerations behind

- Why off the shelf products require increased focus on security awareness

- Economic influences on employee likelihood of becoming insider threats

- What types of cutbacks are organizations  making that are potentially dangerous?

- Rationalizing security as a “foundation” investment instead of an unnecessary expense

- Compliance with regulations is not sufficient for most businesses

- How are the most regulated industries doing with security and privacy?

- How awareness affects quality and mistakes

- How management's skepticism about training becomes a self-fulfilling prophecy if they skimp on quality

- How training quality can be improved

- How much can you expect people to remember from a single class?

- How to make training content stick over time

- Why measurement of student retention is important in getting good results

- How the Honey Stick Project relates to measuring security awareness

- Rebecca’s “Protecting Information” newsletter’s metrics tips

- The impact of being able to show metrics

- What about the new US government’s position on information security and privacy going forward?

- Should Obama be able to keep his Blackberry?

- Electronic Health Records (EHR) and Medical identity theft

- Rebecca’s eye-opening experience, and the importance of “knowing your audience’s motivations and objectives” when talking about security

- Why executives aren’t hearing IT people’s messages about security

- Innovative approaches to security training that have provided good results for Rebecca

- When is effective training not considered training?

- Contacting Rebecca  - on Twitter

Conclusion 64:00

Thanks to Rebecca for joining us and giving us some insights into what she's seeing in the world of privacy and security awareness training. I'm hoping we can work together in future to create some great content for members of our community.

If you’re not already a member, please join The Streetwise Security Zone at:

You can subscribe to this podcast on iTunes at:

Thanks for listening!

(If you'd rather see written transcripts of my audio podcasts, please let me know.)

Site Meter



Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.


Site Meter

 rate this post: very bad poor average good fantastic!

Group Administrator
ScottWright said on Thursday, March 19th 2009 @ 6:35 AM:

After publishing this podcast, Rebecca contacted me with an update regarding HIPAA sanctions.

Here's her update...

When we recorded this, it was before the HHS has issued the 2nd HIPAA sanction to CVS for a considerable $2.25M.

I blogged about it here:

I mentioned, though, in our podcast that there has only been
one sanction so far. So, now there have been two sanctions issued, and precedents are starting to be set for penalizing non-compliant organizations.

Thanks to Rebecca for providing this "Real-time" update. (Now I see where she gets her blog domain name. Wink


RebeccaHerold said on Thursday, March 19th 2009 @ 2:04 PM:

Scott, thanks again for inviting me to chat with you; I really enjoyed discussing the issues with you!  I look forward to talking with you again sometime.

Thanks also for the update regarding the HIPAA sanctions.  :)


Copyright 2012. Security Perspectives Inc. All Rights Reserved.