Recently I started getting blisters on my feet, and my legs were achy in ways they hadn't been...strange, since I had not really experienced that before. I then realized I had not gotten new running shoes in at least a year. I looked at my shoes, and yes, they looked a bit worn.

So I got a new pair of running shoes, the exact same kind as I've been getting the past several years, and I put on one old shoe and one new shoe.

OH MY GOSH!!!! The difference was amazing!!

I put on both new shoes; they were more supportive, more bouncy, supporting my feet and legs in ways I'd forgotten my feet and legs had once been supported; just all around better feeling than my old worn-out running shoes. I went for a run in my new shoes. I ran a mile more than I had planned before I realized it just because they felt so good! My old shoes had felt that good, too, when I first got them. However, I did not notice, day by day, over the course of a year how slowly and imperceptively my continuous running had worn them down. They always felt the same from one run to another. It was not until I was able to compare them with a new pair of shoes to notice how much they had actually worn down over time.

So what do running shoes have to do with information security, privacy and compliance programs? A LOT!!!

Just like running shoes, information security programs, privacy programs, and compliance programs often get launched after a lot of thought and planning, making a big splash in the organization and (if done correctly) seeming as though they fit the organization perfectly!

However, as time goes on, the program slowly deteriorates in many small, and often unnoticed, ways from day to day.

* Malware prevention tools and practices slowly degrade in efficiency if they are not regularly reviewed and updated.

* Procedures that were once very effective become ineffective in time as personnel, technologies, business products and services, and so on change; so they must be regularly reviewed and updated so they don't become worn and bad fits with your organization.

* The big security training implementation may have been a huge success when it was launched, but without ongoing awareness messages and training, the information learned on the day of training slowly, day by day, slowly leaves, bit by bit, the minds of your personnel, until they are back to doing their worn-out unsecure work practices; making imperative ongoing awareness communications and training.

* And the list goes on...

Just like running shoes, you need to monitor your information security, privacy and compliance programs. You need to establish baselines of where you're at with the components of your program so you can measure when it is getting "worn out." You need to update the components that are no longer effective. You need to send ongoing awareness communications. You need to provide regular, updated, training to all employees as well as targeted groups.

How often do you check on your security, privacy and compliance programs' effectiveness?

How often do you provide training?

How often do you send awareness communications?

The last question is the topic of my blog poll for this week...please look to the right and click a poll button! I just discovered that the map that is generated is NOT accurate so unfortunately you cannot tell the geographic locations of the poll participants. On the other hand, hopefully knowing that innaccurate ISP information is being collected with the click of the poll button will encourage more of you to take the poll. Even if you are not responsible for awareness and training, please indicate how often awareness communications are sent at your organization. My expectation is that it is far less often than is effective, but perhaps you will prove me wrong.

Hey...now I'm ready for my run! :)