Says Paller of the SANS Institute: "Awareness education doesn't work. The current security awareness programs are not effective at keeping people from making the mistakes that cause their computers to become zombies.
"Managers are right to resist security awareness training that's ineffective. Why should I send a person to training if they won't do anything differently?"
Four years after Sept. 11, not all IT executives remain on their guard.
Negligence is the biggest security worry for IT executives
Companies are failing to take steps to improve security awareness.
Security isn't truly strategic until it's integrated with risk management.
Companies still aren't going the extra mile to keep customer and employee data private.
Technologies that prevent identity theft lag behind other security technologies.
DeZabala notes that it is easier to justify spending on technology than on training.
"If you are skeptical about these programs, will you be criticized if a security event occurs, and you've spent your money on training and awareness rather than on something that's technological or operational in nature?" he said.
Our survey suggests that if companies want to lower the risk of negligence, carelessness and management resistance, they need to put security into a broader, more strategic perspective, rather than just take a defensive posture.
Companies with a real security strategyespecially one that's grounded in corporate risk managementtypically take more steps to protect themselves from employee carelessness and ignorance.
Such companies are much more likely to provide training and security updates, and to develop policies regarding e-mail attachments and network access.
Harte-Hanks, for example, has taken many steps to raise employee awareness, from alerting employees about new threats, to brown-bag luncheons and asking employees to sign documents attesting to their security and confidentiality standards.
According to Siesel, the key is to show employees the direct impact a security lapse could have on them and their company.
"When people understand how their behavior can affect their customers, their company or themselves, they are more likely to take steps to protect them. They could lose stock value. The company could be shut down. We could lose important customers."
Companies that develop an integrated IT-risk management strategy are also more likely to establish responsibility for managing IT risk between IT and business managers, which helps to make sure that management will stand behind the company's IT security policies.
If, as Schneier says, companies need to create "a culture of security" from the top down, putting in the time and effort to work with executives to develop a real, workable security strategy appears a necessary step.
More Alarming Results: