“training” may imply more than I intended. We have an annual stupid video to watch and a bunch of wiki pages about basic infosec behaviors and mechanisms to keep some info off of shared build systems, and some “loose lips sink ships” posters. It does include guidance on baseline “company confidential” behavior and not talking with outsiders except on the narrow topics related to their work. We do have formal classes (with tests and mock presentations) before we’re allowed to give talks or speak to groups on behalf of the company.
There remains a _LOT_ of cultural and ad-hoc expectations on the topic, far more than official policy or training. And there are ongoing debates about the very large value in open sharing of information compared with the cost of leaks. This leads to a fair bit of nuance regarding which topics are “just don’t talk about” and which are “have a good reason before discussing with someone” and which are “don’t advertise widely, but feel free to discuss if it’s relevant”.
At a very basic level, for both private and commercial secrets, you have a LOT of evidence about how seriously it’s taken, just by the fact and manner that the secret is given to you. “If you want it kept secret, why are you telling ME?” Asking this question is a great opener for understanding what the specific expectations are.
“training” may imply more than I intended. We have an annual stupid video to watch and a bunch of wiki pages about basic infosec behaviors and mechanisms to keep some info off of shared build systems, and some “loose lips sink ships” posters. It does include guidance on baseline “company confidential” behavior and not talking with outsiders except on the narrow topics related to their work. We do have formal classes (with tests and mock presentations) before we’re allowed to give talks or speak to groups on behalf of the company.
There remains a _LOT_ of cultural and ad-hoc expectations on the topic, far more than official policy or training. And there are ongoing debates about the very large value in open sharing of information compared with the cost of leaks. This leads to a fair bit of nuance regarding which topics are “just don’t talk about” and which are “have a good reason before discussing with someone” and which are “don’t advertise widely, but feel free to discuss if it’s relevant”.
At a very basic level, for both private and commercial secrets, you have a LOT of evidence about how seriously it’s taken, just by the fact and manner that the secret is given to you. “If you want it kept secret, why are you telling ME?” Asking this question is a great opener for understanding what the specific expectations are.