By Chris Griggs, Founder and CEO
Internalization. It is the process of consolidating ideas and concepts into one’s very self-identity. I tend to think of internalization as a measure indicating a concept has been learned and prioritized in such a way that it becomes an ever-present factor in decision making.
When it comes to information security (InfoSec), businesses generally fail to make significant progress in preventing security violations and breaches caused by insiders because they fail to truly internalize InfoSec in their employees.
Many companies provide InfoSec awareness training for employees. If the training is perceived as ineffective, it will be dropped or possibly even replaced with more expensive training. In reality, the training is probably fine. What’s missing is a mechanism for internalization. Without it, the information will likely soon be forgotten.
The keys to internalizing InfoSec in business employees include:
- Ownership. The employees must have “skin in the game” when it comes to InfoSec. They must expend enough effort in preparing themselves to combat InfoSec threats that they feel they are invested in the outcomes of InfoSec initiatives. Finally, there must be an expectation of accountability and recourse for both successes and failures.
- Application. InfoSec must be transported from the realm of theory into the realm of practice through conscious, supervised application of learned behaviors in the actual work environment.
- Sustainment. Repetition and perpetuity of training and application are critical in ensuring long-term internalization and that employees stay up-to-date in the latest InfoSec trends.
You might think of the relationship of the above keys with InfoSec awareness training as being similar to the relationship between vitamin D and calcium. Just as vitamin D helps promote the absorption of calcium to improve bone health, ownership, application, and sustainment promote internalization of InfoSec awareness training to improve information security.
If businesses wish to create InfoSec champions out of their employees, they must move beyond training and look at new and innovative ways of internalizing InfoSec.