Information security personnel are unsung heroes who should receive more recognition for the hard work they do to keep businesses safe from internal and external security threats.
That's what Luisa Gentile, senior awareness and transformation manager for corporate security at Vodafone, told the audience at Computing's Enterprise Security and Risk Management Summit, which took place at Hilton Hotel Tower Bridge.
Gentile was giving the event's afternoon keynote, titled "Driving a Security Culture in Vodafone". What helps achieve that, she argued is "recognition for people's hard work. " That mantra has seen the telecommunications company introduce rewards related to information security, which are given for achievements in the area or helping to "humanise" the issue and make it more relevant to the wider corporation.
"I don't know why, but information security people are sort of unsung heroes. Nobody knows what they do, nobody knows how much they work, nobody knows the hell they work through every day. Why is that?" Gentile asked.
Vodafone set up the scheme to publicise the work information security staff do, which led to wider praise – and awareness of the issues – throughout the firm, which gave wider encouragement to information security staff.
"So eventually they became popular with comments like this, saying thank you so much, we are so happy to be thanked, to be recognised. Even if there were only 11 finalists, or 53 case study stories, everyone was happy because for the first time ever, people talked about them and people came to them saying well done, thank you," said Gentile.
She added that publishing the work information security personnel were doing also raised awareness about issues to other parts of the organisation.
"It was also a good way to encourage good practice sharing because people thought [for example] 'I've seen that happening in Albania, can you do it in the Czech Republic?' So it was a great opportunity to share good ideas."
Gentile pointed out that the awareness can't be a one-off, which is why she has a policy of constantly rolling out security case studies for Vodafone staff to read.
"You have to keep the buzz alive, it can't all be just forgotten in three days. So for me, you need to repeat what you've seen for the last year, because you have to get the stories, write them, get people to vote for them and so forth," she said.
"There are two simple messages. The first is [that] I publish all the stories as I get them so everybody sees them. Second, I have a magazine not only of ‘do this and do that' process procedures, but also about people and nice achievements," Gentile continued, adding that the results are also regularly presented to CEOs.