005 Privacy and Security Awareness Training with Guest Rebecca HeroldWednesday, March 18th 2009 @ 6:39 AM (not yet rated)
Get a glimpse into the real-world problems of privacy and security awareness training from this episode’s featured guest, Rebecca Herold, (AKA PrivacyProf on Twitter). The following notes correspond to the content in this episode of The Streetwise Security Zone Podcast.
You can listen to the podcast while viewing this page in The Streetwise Security Zone website by clicking on the "Play" icon in the player widget above, or you can download it by clicking on the "Down Arrow" at the left side of the widget. It's also available through iTunes via the iTunes link in the left hand column in The Streetwise Security Zone Podcast page of the website. Note that the times identified below represent absolute times on the timeline, not durations.
Editor's note - I apologize in advance for the ambient noise during parts of my interview with Rebecca. This is not the usual sound quality of my podcasts, but I didn't realize it until after we had finished our call. I tried to clean it up, and replaced some of my interview questions with better recordings in some places near the end.
Introduction - 0:00
The introduction gives a brief run through the topics covered in this podcast.
Today’s show features a discussion with Rebecca Herold, the Privacy Professor. Rebecca does a lot of teaching and consulting on the topics of privacy and security awareness. She’s written a number of books, and has a blog that she posts to on pretty much a daily basis. You can see her latest headlines right from the front page of The Streetwise Security Zone at http://www.streeetwise-security-zone.com
Security News - 1:20
The Heartland credit card breach involved almost 100 million credit cards. That’s more than twice the number involved in the TJX breach of two years ago.
Ponemon’s 2008 Annual Report on Costs of Data Breaches
The Ponemon Institute recently issued their 2008 report on the Cost of Data Breache in which they studied over 40 companies that had data breaches and did some interesting analysis to determine causes and costs.
Whether you think their average cost of just over "$200 per affected data record" is relevant to your business, there are some other bits of information in this report that most certainly are of interest to all of us.
Their statistical analysis appears to support my assertion that security awareness is the low-hanging fruit with the best ROI for their security budget.
The Ponemon report is worth the read and is free. Here’s a link where you can download the report:
Streetwise Security Zone site news - 4:15
The Honey Stick Project - We just passed 60% of devices being used.
Safe Web Surfing - Audio book available, with deep discount for SWSZ members.
Facebook Privacy and Security Guidelines - NEW audio book now available, also discounted for SWSZ members.
Risks in the News - 8:20
With tough economic times usually comes a wave of scams that target people who are most in need of hope. Unfortunately, we are seeing a rise in telemarketing scams that try to convince people that they have been approved for a government grant related to the "stimulus package". Of course they charge a “processing fee”, or ask for "personal or private information" that could be used for Identity Theft, which is how they make their money. The hoax -breaking site, www.snopes.com, has a good summary of the things to watch out for.
Product Review - The Sandisk Cruzer Enterprise secure USB Flash Memory Stick Solution - 9:20
I recently posted a review of the Sandisk Cruzer Enterprise USB Flash Memory at:
I found this to be a very strong solution for not only protecting against "data leakage" through the use of hardware-based encryption, but also for managing the lifecycle of mobile data and USB Flash Drives that travel outside the protection of the organization.
Q&A Feedback - 11:20
I invite you to send me an email at firstname.lastname@example.org or call and leave a voicemail message at 613-693-0997 with your comments or questions about security awareness, or any topic you care to discuss.
I’m also interested in hearing from you to find out how you heard about The Streetwise Security Zone Podcast, what you like about it and how it is helping you; or if it’s not helping you. It doesn’t have to be a positive comment, either. I want to make this podcast useful to as many people as possible, and I value your input.
Conversation with Rebecca Herold - 12:30
- Introduction to Rebecca Herold, The Privacy Professor.
- The disturbing trend of cutbacks leading to greater risks.
- The need to do initial organizational assessments before applying security controls
- Security inadequacies stemming from a “compliance” mentality
- How technology-oriented business drivers are leaving security and privacy considerations behind
- Why off the shelf products require increased focus on security awareness
- Economic influences on employee likelihood of becoming insider threats
- What types of cutbacks are organizations making that are potentially dangerous?
- Rationalizing security as a “foundation” investment instead of an unnecessary expense
- Compliance with regulations is not sufficient for most businesses
- How are the most regulated industries doing with security and privacy?
- How awareness affects quality and mistakes
- How management's skepticism about training becomes a self-fulfilling prophecy if they skimp on quality
- How training quality can be improved
- How much can you expect people to remember from a single class?
- How to make training content stick over time
- Why measurement of student retention is important in getting good results
- How the Honey Stick Project relates to measuring security awareness
- Rebecca’s “Protecting Information” newsletter’s metrics tips
- The impact of being able to show metrics
- What about the new US government’s position on information security and privacy going forward?
- Should Obama be able to keep his Blackberry?
- Electronic Health Records (EHR) and Medical identity theft
- Rebecca’s eye-opening experience, and the importance of “knowing your audience’s motivations and objectives” when talking about security
- Why executives aren’t hearing IT people’s messages about security
- Innovative approaches to security training that have provided good results for Rebecca
- When is effective training not considered training?
- Contacting Rebecca
www.twitter.com/privacyprof - on Twitter
Thanks to Rebecca for joining us and giving us some insights into what she's seeing in the world of privacy and security awareness training. I'm hoping we can work together in future to create some great content for members of our community.
If you’re not already a member, please join The Streetwise Security Zone at:
You can subscribe to this podcast on iTunes at:
Thanks for listening!
(If you'd rather see written transcripts of my audio podcasts, please let me know.)