Frequently Asked Questions about SecAware
What's wrong with creating my own awareness & training content?
Nothing, provided you have the capability and resources to do so. However, it's harder than it seems to prepare effective awareness and training content. There's both art and science to it. It's not just a matter of assembling a random assortment of stuff grabbed from wherever. Telling people what not to do, and warning them about dire consequences if they do, may not be the most sensible approach. This is adult education on a complex and largely technical topic, with a diverse audience for whom the topic is perceived as peripheral or irrelevant to their lives and jobs. Frankly, even spelling and grammar are challenging for some awareness authors, let alone motivational text and compelling graphics!
Can't I just get free stuff off the web?
You can ... but ... be careful about copyright. Respecting Intellectual Property Rights is just one of the things your colleages need to understand: 'do as I say, not as I do' is a poor way to teach or tell.
We only need the basics. What use is the rest?
The basics are a great place to start - start being the operative word. If your awareness and training only covers the basics, you are missing out on the business benefits of a security aware workforce, a "security culture". Worse still, your organization is not just facing basic threats: if you have any kind of Internet connection anywhere in the organization, you are exposed to the entire world. If you have valuable trade secrets and sensitive personal information to protect, the basics definitely won't suffice. If you depend on information (with or without IT), you are hanging by a thread above the Pit Of Disaster with only basic security in place, including minimal security awareness.
Does your content cover regulation 12345 part 6 article 7 clause 8.9.10a?
If it relates to information risk and security, almost certainly yes ... but probably only in a general way: with a few exceptions (such as GDPR) we deliberately shy away from focusing on specific laws and regulations for two key reasons:
Can you cover a specific topic for us?
Yes. Please tell us what you're after. With gigs of content on hand, we probably already have relevant security awareness and training content unless your topic is highly specific or obscure ... in which case we can prepare fresh materials for you. Let's talk!
Do you maintain the content?
Not exactly. After purchasing and downloading materials from this website, we are unable to maintain them for you. We no longer even have access to or control over them, assuming your security controls are effective anyway!
Our ISMS IT system includes documentation: why would we need more?
The built-in content may be sufficient ... but we can do better. We've been working with the ISO27k standards since the 90's, preparing information security strategies, policies, procedures, awareness and training content all that time. Our breadth and depth of experience is unparallelled. The documentation provided with several commercial ISMS systems and services, even some ISMS toolkits, is generally basic and limited. Aside from poor grammar and phrasing, the materials have typically been prepared by technologists with a narrow perspective on the field. We understand that information security and privacy are more than just compliance imperatives: there are business objectives to both protect and exploit information, hence a balanced view is essential.