Security awareness and leadership

- [Instructor] As technology continues to advance and processes and requirements continually change, one thing remains constant, and that is the people. While advancements in technology have taken some of the human aspect out of the equation, there is one that will never be able to be replaced, and that is the end user. The term, user, is utilized often in security, and is defined as a person or group of people that operate within your business environment including but not limited to operating computers, systems, applications, networks, and more. This term is typically used to describe employees in a more technical sense, and is often associated with a username, login name, or screen name. Let's take a look at the leadership. Usually, though not always, within a security organization, there will be a CISO or CSO that leads the security team. The difference between a CISO and a CSO is that CISO stands for chief information security officer, and means that the team consists of just logical and technological security positions and areas of focus. Whereas the CSO stands for chief security officer, and usually means that this group is all-encompassing of security, including both logical and physical security within the respective groups. Many times under the CISO or CSO security umbrella is a dedicated area to protect the human element. Typically, this falls under the name of security awareness, though it may be named a few other things, such as security training, security education, security culture, and even human risk officer. Security awareness is a person, group, or team that focuses on awareness, training, communications, and education for the employees of the organization. Their goal within the program is to help make the employees more knowledgeable of the risk, both they and their organization face, as well as what to do if they are faced with those risks. Their end goal is to create a more security-minded environment and risk-averse culture. While a security awareness person, team, or group is essential to any successful security program, this team can't be everywhere to train everyone. One approach to help expand their awareness efforts is to create a network of extensions of the security team, which is often called security champions. Other terms used interchangeably include security ambassadors, partners, or liaisons. A security champion is someone in a company that volunteers their time to help create a more secure environment as well as helps develop a two-way pipeline between security and other groups, regions, and organizations within a company. While there are many positions, teams, and individuals we didn't list that make up the people side of security, the three we did cover all can work together in a business or organization to accomplish one goal, securing the company and its assets and data.