Main Nav

Security Awareness Programs - Compliance vs. Impact

I'm very happy to be invited as guest blogger for EDUCAUSE during Security Awareness Month. Over the course of the next couple weeks I and several others will be sharing with you some key lessons learned on how to deploy effective awareness programs. For today I wanted to share with you something I am very passionate about, the difference between compliance and impact. Traditionally most awareness programs have focused on compliance, meeting requirements set down by certain standards. For the edu community this includes standards such as FERPA, GLBA and RFR. Compliance is important, we must ensure that your school meets these standards. Unfortunately though compliance can also be a hinderance, especially when it comes to awareness. Often management's goal is simply to check the box and invest the absolute minimum to achieve compliance, perhaps nothing more then some power point slides once a year. My passion and goal is to see organizations go beyond just compliance and attempt to make a difference, to change behaviors and make people more secure in their daily lives. This is much harder to do. It requires much more planning (such the different groups you want to teach and which behaviors to change) and requires much more resources as this is a long term investment. Just like securing any other operating system, securing people is a life-cycle, a continuous process of updating and reinforcing (just like you patch computers every month). Next post I'll discuss how you can create such a program, one that is both compliant and has an impact.

AUTHOR: Lance Spitzner is Technical Director of SANS Securing The Human program. You can follow him on Twitter @lspitzner or contact him at

Tags from the EDUCAUSE Library