The term security awareness is frequently used when talking about information security, and rightfully so. In my experience the two single most important factors to successful information security management are:
a) Security awareness
In fact, without cooperation you will not succeed with much of anything. But, it is especially relevant when it comes to information security that today spans over entire organizations. Data is spread all over with different information assets located in different systems in different locations, which makes cooperation more than crucial. And, to succeed with cooperation when it comes to information security, security awareness is vital. If your staff isn’t aware of potential risks, or of what their colleagues are doing, the ability to identify and establish the required teams will greatly diminish. Most organizations would be likely to benefit from linking their security awareness program to their risk and opportunities assessments. This way you will have logical input to your process flow, and an easy way to demonstrate the benefits of the program.
I feel that many organizations focus their security awareness work on technical details and pre-defined concerns way too much. This limits staff from thinking freely about potential risks or other, potentially unknown, concerns. I instead recommend that security awareness should aim at getting everyone on staff to independently identify possible risks, within their own field or others.
The concept of cooperation becomes even more valid in large organizations where you should make absolutely sure that staff from different parts of the organization sit down together and discuss security matters. When someone hears someone else’s point of view, and possibly in areas they’ve never reflected upon earlier, it will really improve their understanding, “awareness”, and probably your organization’s overall maturity around security.