I would start with assessing the company, employees, and the IT assets. I would then have written policies and procedures around protecting the IT assets. In addition to the written policies, I would make sure senior management agrees with them so the policies can be a top-down approach. Next, I would assess and determine the level of awareness and training needed for each type/group of employees based on what IT assets they use to perform their job, and be sure that all users in the company are targeted to receive training. After determining the level of training, I would then assign the type of training for each user (employee) based, either awareness (to cover a broad group of users at a very basic level, for example, don’t share passwords, educate on phishing emails, etc.), training (which would be more than the basic user, but not in-depth as an IT specialist, or education (which would be in-depth, detailed training for IT specialists). I would then implement a SETA program that was continuous (e.g. once a month), easy enough for basic users to understand, interactive (i.e. quizzes with an acceptable pass rate to move forward), and cost-effective (i.e. web based learning). After implementation, I would assign someone to monitor who completed the training and who did not. For those that do not complete the training, have consequences (i.e. remove access until complete) that will encourage completion.
Hi Jill,
I find the idea of using different levels of training interesting. Maybe when developing a SETA program, utilizing a tiered system of additional training based on the group the employee is in (i.e., IT specialist). I think it is still important to go over the basics even to an IT specialist as it reinforces fundamental knowledge, but I also agree that additional training based on the role should be utilized.
Hello Jill,
To add to you point, knowing what assets the company owns is very crucial. It helps with identifying certain areas that may require more emphasis during the training. Systems that holds sensitive data requires more security and by assessing the IT assets the company owns, helps with training preparation.
You made an important point about having different levels of training for different levels of user. The sales team doesn’t need the same level of security training as sysadmins or software developers.
The first thing I would do is engage stakeholders and make sure that they understand the importance of a security awareness program. Typically the budget for a solid security awareness program revolves around “selling” the importance of implementing said program. You can most definitely create your own in-house trainings but more often than not the time and effort that would go into the training would be gratuitous. It’s hard to keep users engaged for such trainings. Users typically deal with annual/semi annual trainings for all sorts of things like anti-harassments, anti-bribery, etc. Keeping users engaged when speaking about a topic a user isn’t particularly interested in is hard, and if the user isn’t engaged, they’re likely to retain little to non of the content. This budget with the support of stakeholders would allow purchasing of an already well built, informational, and dare I say fun training to keep users engaged. Additionally, when leveraging a company that sells their training, you can often purchase modules that pertain to your organizational needs. While excluding those that aren’t relevant to your organization. You can tailor specific modules for employees based on their position in the company. While phishing email training may be pertinent to a large majority of users in a company. For a user in a warehouse who only logs into a computer to access their shipping software and doesn’t use/have a company email. Phishing email training wouldn’t really be pertinent to their daily responsibilities. However, training surrounding what is and isn’t appropriate to do while utilizing their company owned device would be pertinent.
Hi Nicholas,
I agree that engaging stakeholders about the program is important as they need to agree on the importance of implementing such a program organization-wide. However, I do disagree that even an employee that only logs into a computer that doesn’t have a company email should not be a part of phishing email training as they could be contacted from outside the company for computer details as part of a phishing campaign. In general, I would say that basic training should apply to all employees even if it does not seem like it does due to a lack of access.
The first thing i will do is to analyze and assess the current cyber security awareness level so as to determine employee’s overall security awareness. In majority of organizations employees, managers and top board members often find cyber security training very boring. stating that securing the IT infrastructure should be left to the IT department but in reality, if the IT infrastructure vs Business process are not inextricably linked it would be hard to forge a reliable cyber security awareness program. However, educating employees that securing IT infrastructure of the organization is everyone’s job is the first step to creating a working awareness program.
In addition to sensitizing employee’s cyber security random drills that can test how employees respond to security incident, sending of fake phishing email to employees as a test to aggregate response. Depending on the number of employees that fall for the test if it’s a large percentage it means the organization need to focus on training employees how to spot and handle phishing emails.
After aggregating the response i will collaborate with the Board of Directors and IT resource about a working budget to craft mandatory training module in line with the business processes for employees and a prerequisite for new hires in form of visual and electronic manuals that will sensitize them about how important it is to protect information and IT infrastructure, how to handle and report incidence immediately they are spotted, training for safeguarding company asset and protection of PII, PHI.
Security education training and awareness programs serve a huge purpose in every organization by educating its employees about cybersecurity and how to identify, detect, and act when they encounter an incident. Humans remain the biggest link that is targeted by cybercriminals. Initially, I would run through the current security education training and awareness program to determine if there are any gaps. This can be done in several ways like testing the employees’ knowledge level. Once I gather that information, I would be meeting up with executive counterparts and explain the importance of having this program in place and the consequences of not having it and producing a budget that would support the program. From there, the program will be implemented that meets the targeted audiences which is our employees. I would make it engage so that it accommodates all employees at various levels and ensures that everyone gets the right training that pertains to their job functions. Phishing email simulations, incidents drill through simulated attack will be included in this program to test employees’ knowledge and determine if they require more training or a specialized training depending on the level of understanding. The last thing to do is to have the leadership to lead by example by doing the right thing and make sure the training will be compatible with the new hires as well.
In order to develop an effective Security Education, Training, and Awareness Program, the Information Security team should assess the type of organiztion they work for and who the audience is in order to fully assess the training needs. In order for the program to be effective, the first goal should be awareness. Many incidents happen due to ignorance or people rushing and not paying attention, such as phishing emails such as what we saw in the Target breach last week. The training should start with general awareness training for all which should include information that identifies that Information Security is the responsibilitiy of everyone in the organization and that they are tasked with vigilence to help protect the organization and its stakeholders. Once baseline knowledge and accountability is established, then training can be further refined and expanded depending on the person’s job description (for example do they come into contact with SPII or PII) and role within the organization (for example technical needs of security architects and network engineers). Once the training has been developed (General, specialized and specialized/technical), the strategy, execution, “buy-in, budget and schedule need to be developed and implemented. it is important that people learn by “doing”. Policies should be created related to awareness, manadatroy training and frequency or training/deadlines and roles and responsibilities. Policies help set the tone. A budget should be established based on the training needs of the department. For example, some specialized training might require an outside organization and specific courses. There should also be tests and real life scenarios set up to reinforce the content learned and the rolesa and responsibilities in the instance of an event. This could be company-wide phishing tets using software such as Phishme or scheduled table top exercises simulating a cyber security breach. Metrics can be developed to help measure the success of the training and determine if it is effective, i.e. phishing attempts, patches applied, etc. Lastly, feedback forms can be used to determine what the emplopyees think of the training received and how effective it is.
Hi Christa,
I like your inclusion of tests and real-life scenarios as part of the SETA program. However, I think that not all companies may have the application or time necessary to perform real-life scenarios of cyber threats. I do agree that some form of practice should occur such as tabletop exercises since it does test the capabilities of an organization, but these should be scheduled with the organization’s capabilities in mind.
First, I would need to do an audit of the current security education in place, where is it effective and where is it lacking. Next, I would need to access the information assets the company holds onto to effectively plan best suited for protecting the information most vital to the operation of the company. Doing a complete overhaul of the current security policies may not be welcome and thus policies may not be abided by, because of this upper-level management would be consulted to offer a more tailored and gradual approach to policy reform. The training program would have a heavy emphasis on awareness, primarily on the phrase, “see something, say something”. It is impossible for all employees to have the requisite knowledge to identify signs of an intrusion but always being aware, on the lookout, and ready to report any suspicious activity to the cyber security department is very valuable. As for security education, mandatory lessons on basic cyber security such as phishing, password management, and safe web surfing. Going too in-depth in training has diminishing returns, most employees want to get by with the bare minimum, and the bare minimum-security awareness is effective for most attacks. As mentioned previously maintaining awareness is the most important aspect of the new program.
I agree with your comments on the security training; however, I do think some sort of tracking and monitoring of training needs to be added as well. I also agree with not having too detailed of training for the average employees (i.e. email users), as long as the main topics/risks are covered like phishing and password sharing.
I would begin with an audit of the company to determine where most of the privy information is. Since most people within a company can only access certain information, I would make sure that different priorities and securities are put in place after the audit depending on the severity of the data while maintaining a base requirement for security purposes. I would prioritize online security and confidentiality and ensure that no information is being leaked – which can be tracked through logs – to deal with insider leaks on top of security seminars which are mandatory to go to every two to three months with new information and reports to maintain consistent security. On top of that, emails should all be verified within the company to ensure no malware sneaks its way through and no one is vulnerable to outside attacks. Finally, I would look at the company’s interest in its cybersecurity and recommend specific action be taken if certain aspects of the network or etc. were compromised or lacking in any way.
I agree with the training of the employees that secure and maintain the data, but I also think the everyday users (non-IT employees) also need to have training on the most common causes of attacks like phishing emails and password sharing. These risks would not be addressed by verifying all emails in the company.
Hello Matthew,
I also think it is a good idea to look at the company’s interest in its cybersecurity, because it gives you a better understanding if the company is willing to invest. Once you gather that information, then with experience, you will know what recommendations, changes that must be implemented.
In developing a SETA program, the first step would be to understand the organization’s infrastructure as a whole. The purpose of a SETA program is to educate employees on what they should do relating to information security in their organization. As such, the program should encompass trainings and policies that are inclusive of the whole company and can be understandable by everyone within the company.
The policies are important as they are the written rules and provide the roadmap for both current and future operations. Senior management needs to work with policy writers to create and define the policies to help encourage and enforce adherence to the policies. The trainings are also important as they help to guide employees. These can include classroom and meetings, practice scenarios, or online training. Trainings are a priority when develpoing SETA programs, especially for new employees as they help to define acceptable use while educating on security awareness. These trainings should be reinforced roughly every 6 months to help educate and enforce existing skills. These should include the standards for applying security in work as well as specific applicables to the organization. In general, the trainings should be understandable by all employees and should apply based on the organization’s needs.
How do you go about developing a security education training and awareness program?
In my opinion, there are two places to start for an awareness and training program. The first is to address the awareness. Address existing policies the company has in place for security alongside the standard security knowledge topics such as anti-phishing, password hygiene, wifi security, device security, etc. This is the simple side of the program, it addressed established subjects.
The second area to address is the security education. While this does overlap with the standard topics in the awareness area, the primary focus here would be to address the weaknesses specific to this business or organization. Look to risk assessments, previous incidents, unique items to the business/niche, and direct interviews to discover the areas where the group is weak and generate content to address those topics. There is no one-size-fits-all model to this part of the program, it has to be tailored to the audience to be effective.
I completely agree with the idea of tailoring the training/program towards the group in mind and wish I had mentioned that in my own response. Having a good base can be given by those trainings but tailoring previous breaches and solutions towards a specific group definitely seems a lot more applicable to the situation and its success as a whole.
I would what basic trainings there are regarding security because all the firms have the basic programs in place where they have to through it. I think sometimes these trainings are not being practice enough to a point where an employee would remember. I would like to gather the data of how people are doing on these trainings which would include interactive learning which would include videos and quizzes. They would have to pass these quizzes in order for them to finish the training. I would gather the data who are doing well and who is not and send out more training to those who are not doing well.
I would first have basic trainings where there is only information when they are hired with all other trainings. Then from time to time I would send these trainings again which it could vary from 3-6 months and depending on how well they do I would send them out based on performance. I also want to have these trainings where they are taking quizzes and actually paying attention to what is on the screen. I would also sort some of these trainings based on the role each person plays in the firm. If they are more oriented towards security than give training based on the specifics.
I like that you specifically mentioned the word “interactive” when it came to the training. I strongly agree that forcing the interaction with the activity at hand before being able to move forward with the content helps ensure at the very minimum the user is paying attention to the content and hopefully encourages better digestion/retention of information.
To develop security training and awareness programs, it is essential to establish a procedure to be followed for greater efficiency. First, assemble all the historical information about cybersecurity management and then determine the restrictions on the firm or the employees (Living Security Team, 2021). Thirdly is recognizing a starting point’s security flaws and promote a supportive rather than a fearful society.
Create a targeted monthly schedule, segregate the awareness subjects, and consider all the resources that can support each team to achieve efficiency. Also, get the support of the executive team and your CISO, who will be responsible for budget approval and providing the tools you needed to be successful (Living Security Team, 2021). Furthermore, material and a strategy for monitoring results before the awareness on cybersecurity training should be rolled out if required.
Furthermore, you must examine your current interface carefully. Whether it is monitoring every KPI that is supposed to and if it can demonstrate ROI. Additionally, you may lighten the load on some aspects of your project by teaming up with other providers of security services. Finally, establish an environment of greater security.
I would start with assessing the company, employees, and the IT assets. I would then have written policies and procedures around protecting the IT assets. In addition to the written policies, I would make sure senior management agrees with them so the policies can be a top-down approach. Next, I would assess and determine the level of awareness and training needed for each type/group of employees based on what IT assets they use to perform their job, and be sure that all users in the company are targeted to receive training. After determining the level of training, I would then assign the type of training for each user (employee) based, either awareness (to cover a broad group of users at a very basic level, for example, don’t share passwords, educate on phishing emails, etc.), training (which would be more than the basic user, but not in-depth as an IT specialist, or education (which would be in-depth, detailed training for IT specialists). I would then implement a SETA program that was continuous (e.g. once a month), easy enough for basic users to understand, interactive (i.e. quizzes with an acceptable pass rate to move forward), and cost-effective (i.e. web based learning). After implementation, I would assign someone to monitor who completed the training and who did not. For those that do not complete the training, have consequences (i.e. remove access until complete) that will encourage completion.
Hi Jill,
I find the idea of using different levels of training interesting. Maybe when developing a SETA program, utilizing a tiered system of additional training based on the group the employee is in (i.e., IT specialist). I think it is still important to go over the basics even to an IT specialist as it reinforces fundamental knowledge, but I also agree that additional training based on the role should be utilized.
Hello Jill,
To add to you point, knowing what assets the company owns is very crucial. It helps with identifying certain areas that may require more emphasis during the training. Systems that holds sensitive data requires more security and by assessing the IT assets the company owns, helps with training preparation.
You made an important point about having different levels of training for different levels of user. The sales team doesn’t need the same level of security training as sysadmins or software developers.
The first thing I would do is engage stakeholders and make sure that they understand the importance of a security awareness program. Typically the budget for a solid security awareness program revolves around “selling” the importance of implementing said program. You can most definitely create your own in-house trainings but more often than not the time and effort that would go into the training would be gratuitous. It’s hard to keep users engaged for such trainings. Users typically deal with annual/semi annual trainings for all sorts of things like anti-harassments, anti-bribery, etc. Keeping users engaged when speaking about a topic a user isn’t particularly interested in is hard, and if the user isn’t engaged, they’re likely to retain little to non of the content. This budget with the support of stakeholders would allow purchasing of an already well built, informational, and dare I say fun training to keep users engaged. Additionally, when leveraging a company that sells their training, you can often purchase modules that pertain to your organizational needs. While excluding those that aren’t relevant to your organization. You can tailor specific modules for employees based on their position in the company. While phishing email training may be pertinent to a large majority of users in a company. For a user in a warehouse who only logs into a computer to access their shipping software and doesn’t use/have a company email. Phishing email training wouldn’t really be pertinent to their daily responsibilities. However, training surrounding what is and isn’t appropriate to do while utilizing their company owned device would be pertinent.
Hi Nicholas,
I agree that engaging stakeholders about the program is important as they need to agree on the importance of implementing such a program organization-wide. However, I do disagree that even an employee that only logs into a computer that doesn’t have a company email should not be a part of phishing email training as they could be contacted from outside the company for computer details as part of a phishing campaign. In general, I would say that basic training should apply to all employees even if it does not seem like it does due to a lack of access.
The first thing i will do is to analyze and assess the current cyber security awareness level so as to determine employee’s overall security awareness. In majority of organizations employees, managers and top board members often find cyber security training very boring. stating that securing the IT infrastructure should be left to the IT department but in reality, if the IT infrastructure vs Business process are not inextricably linked it would be hard to forge a reliable cyber security awareness program. However, educating employees that securing IT infrastructure of the organization is everyone’s job is the first step to creating a working awareness program.
In addition to sensitizing employee’s cyber security random drills that can test how employees respond to security incident, sending of fake phishing email to employees as a test to aggregate response. Depending on the number of employees that fall for the test if it’s a large percentage it means the organization need to focus on training employees how to spot and handle phishing emails.
After aggregating the response i will collaborate with the Board of Directors and IT resource about a working budget to craft mandatory training module in line with the business processes for employees and a prerequisite for new hires in form of visual and electronic manuals that will sensitize them about how important it is to protect information and IT infrastructure, how to handle and report incidence immediately they are spotted, training for safeguarding company asset and protection of PII, PHI.
Security education training and awareness programs serve a huge purpose in every organization by educating its employees about cybersecurity and how to identify, detect, and act when they encounter an incident. Humans remain the biggest link that is targeted by cybercriminals. Initially, I would run through the current security education training and awareness program to determine if there are any gaps. This can be done in several ways like testing the employees’ knowledge level. Once I gather that information, I would be meeting up with executive counterparts and explain the importance of having this program in place and the consequences of not having it and producing a budget that would support the program. From there, the program will be implemented that meets the targeted audiences which is our employees. I would make it engage so that it accommodates all employees at various levels and ensures that everyone gets the right training that pertains to their job functions. Phishing email simulations, incidents drill through simulated attack will be included in this program to test employees’ knowledge and determine if they require more training or a specialized training depending on the level of understanding. The last thing to do is to have the leadership to lead by example by doing the right thing and make sure the training will be compatible with the new hires as well.
In order to develop an effective Security Education, Training, and Awareness Program, the Information Security team should assess the type of organiztion they work for and who the audience is in order to fully assess the training needs. In order for the program to be effective, the first goal should be awareness. Many incidents happen due to ignorance or people rushing and not paying attention, such as phishing emails such as what we saw in the Target breach last week. The training should start with general awareness training for all which should include information that identifies that Information Security is the responsibilitiy of everyone in the organization and that they are tasked with vigilence to help protect the organization and its stakeholders. Once baseline knowledge and accountability is established, then training can be further refined and expanded depending on the person’s job description (for example do they come into contact with SPII or PII) and role within the organization (for example technical needs of security architects and network engineers). Once the training has been developed (General, specialized and specialized/technical), the strategy, execution, “buy-in, budget and schedule need to be developed and implemented. it is important that people learn by “doing”. Policies should be created related to awareness, manadatroy training and frequency or training/deadlines and roles and responsibilities. Policies help set the tone. A budget should be established based on the training needs of the department. For example, some specialized training might require an outside organization and specific courses. There should also be tests and real life scenarios set up to reinforce the content learned and the rolesa and responsibilities in the instance of an event. This could be company-wide phishing tets using software such as Phishme or scheduled table top exercises simulating a cyber security breach. Metrics can be developed to help measure the success of the training and determine if it is effective, i.e. phishing attempts, patches applied, etc. Lastly, feedback forms can be used to determine what the emplopyees think of the training received and how effective it is.
Hi Christa,
I like your inclusion of tests and real-life scenarios as part of the SETA program. However, I think that not all companies may have the application or time necessary to perform real-life scenarios of cyber threats. I do agree that some form of practice should occur such as tabletop exercises since it does test the capabilities of an organization, but these should be scheduled with the organization’s capabilities in mind.
Hi Christa, i agree with you that effective SETA should be implemented so that employees can be informed target rather than an uninformed target.
First, I would need to do an audit of the current security education in place, where is it effective and where is it lacking. Next, I would need to access the information assets the company holds onto to effectively plan best suited for protecting the information most vital to the operation of the company. Doing a complete overhaul of the current security policies may not be welcome and thus policies may not be abided by, because of this upper-level management would be consulted to offer a more tailored and gradual approach to policy reform. The training program would have a heavy emphasis on awareness, primarily on the phrase, “see something, say something”. It is impossible for all employees to have the requisite knowledge to identify signs of an intrusion but always being aware, on the lookout, and ready to report any suspicious activity to the cyber security department is very valuable. As for security education, mandatory lessons on basic cyber security such as phishing, password management, and safe web surfing. Going too in-depth in training has diminishing returns, most employees want to get by with the bare minimum, and the bare minimum-security awareness is effective for most attacks. As mentioned previously maintaining awareness is the most important aspect of the new program.
I agree with your comments on the security training; however, I do think some sort of tracking and monitoring of training needs to be added as well. I also agree with not having too detailed of training for the average employees (i.e. email users), as long as the main topics/risks are covered like phishing and password sharing.
I would begin with an audit of the company to determine where most of the privy information is. Since most people within a company can only access certain information, I would make sure that different priorities and securities are put in place after the audit depending on the severity of the data while maintaining a base requirement for security purposes. I would prioritize online security and confidentiality and ensure that no information is being leaked – which can be tracked through logs – to deal with insider leaks on top of security seminars which are mandatory to go to every two to three months with new information and reports to maintain consistent security. On top of that, emails should all be verified within the company to ensure no malware sneaks its way through and no one is vulnerable to outside attacks. Finally, I would look at the company’s interest in its cybersecurity and recommend specific action be taken if certain aspects of the network or etc. were compromised or lacking in any way.
I agree with the training of the employees that secure and maintain the data, but I also think the everyday users (non-IT employees) also need to have training on the most common causes of attacks like phishing emails and password sharing. These risks would not be addressed by verifying all emails in the company.
Hello Matthew,
I also think it is a good idea to look at the company’s interest in its cybersecurity, because it gives you a better understanding if the company is willing to invest. Once you gather that information, then with experience, you will know what recommendations, changes that must be implemented.
In developing a SETA program, the first step would be to understand the organization’s infrastructure as a whole. The purpose of a SETA program is to educate employees on what they should do relating to information security in their organization. As such, the program should encompass trainings and policies that are inclusive of the whole company and can be understandable by everyone within the company.
The policies are important as they are the written rules and provide the roadmap for both current and future operations. Senior management needs to work with policy writers to create and define the policies to help encourage and enforce adherence to the policies. The trainings are also important as they help to guide employees. These can include classroom and meetings, practice scenarios, or online training. Trainings are a priority when develpoing SETA programs, especially for new employees as they help to define acceptable use while educating on security awareness. These trainings should be reinforced roughly every 6 months to help educate and enforce existing skills. These should include the standards for applying security in work as well as specific applicables to the organization. In general, the trainings should be understandable by all employees and should apply based on the organization’s needs.
How do you go about developing a security education training and awareness program?
In my opinion, there are two places to start for an awareness and training program. The first is to address the awareness. Address existing policies the company has in place for security alongside the standard security knowledge topics such as anti-phishing, password hygiene, wifi security, device security, etc. This is the simple side of the program, it addressed established subjects.
The second area to address is the security education. While this does overlap with the standard topics in the awareness area, the primary focus here would be to address the weaknesses specific to this business or organization. Look to risk assessments, previous incidents, unique items to the business/niche, and direct interviews to discover the areas where the group is weak and generate content to address those topics. There is no one-size-fits-all model to this part of the program, it has to be tailored to the audience to be effective.
Hey David,
I completely agree with the idea of tailoring the training/program towards the group in mind and wish I had mentioned that in my own response. Having a good base can be given by those trainings but tailoring previous breaches and solutions towards a specific group definitely seems a lot more applicable to the situation and its success as a whole.
I would what basic trainings there are regarding security because all the firms have the basic programs in place where they have to through it. I think sometimes these trainings are not being practice enough to a point where an employee would remember. I would like to gather the data of how people are doing on these trainings which would include interactive learning which would include videos and quizzes. They would have to pass these quizzes in order for them to finish the training. I would gather the data who are doing well and who is not and send out more training to those who are not doing well.
I would first have basic trainings where there is only information when they are hired with all other trainings. Then from time to time I would send these trainings again which it could vary from 3-6 months and depending on how well they do I would send them out based on performance. I also want to have these trainings where they are taking quizzes and actually paying attention to what is on the screen. I would also sort some of these trainings based on the role each person plays in the firm. If they are more oriented towards security than give training based on the specifics.
Hi Parmita,
I like that you specifically mentioned the word “interactive” when it came to the training. I strongly agree that forcing the interaction with the activity at hand before being able to move forward with the content helps ensure at the very minimum the user is paying attention to the content and hopefully encourages better digestion/retention of information.
To develop security training and awareness programs, it is essential to establish a procedure to be followed for greater efficiency. First, assemble all the historical information about cybersecurity management and then determine the restrictions on the firm or the employees (Living Security Team, 2021). Thirdly is recognizing a starting point’s security flaws and promote a supportive rather than a fearful society.
Create a targeted monthly schedule, segregate the awareness subjects, and consider all the resources that can support each team to achieve efficiency. Also, get the support of the executive team and your CISO, who will be responsible for budget approval and providing the tools you needed to be successful (Living Security Team, 2021). Furthermore, material and a strategy for monitoring results before the awareness on cybersecurity training should be rolled out if required.
Furthermore, you must examine your current interface carefully. Whether it is monitoring every KPI that is supposed to and if it can demonstrate ROI. Additionally, you may lighten the load on some aspects of your project by teaming up with other providers of security services. Finally, establish an environment of greater security.