Part 1 of a 4-part series on building and maintaining a security awareness program, in support of National Cybersecurity Awareness Month.
In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent 5 years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director that owned the role, “Compliance focus is wrong –you have to market to the users.”
Seven years later, I have a few tips to share about creating a security awareness program. The first tip might sound obvious, but how many times have you seen it ignored? Make sure you have a strategy. And while you’re strategizing, remember to set some goals.
Ask your SOC for help.
Before you can begin to build your program strategy, reach out to your Security Operations/Incident Response team. This team should be your best friend—and YOU will become theirs. They genuinely care about protecting your organization and you will be a breath of fresh air to them.
What to ask them? They have lots of data and metrics. They most likely can give you a number of high risk incident categories that they track. What are the top 2-3 categories that ….? How much time does it take to remediate each of these incidents—for the user and the highly skilled technical staff?
Once you have identified the top behaviors for your organization, you can now begin building a program by outlining strategy and goals. Remember that a strategy is a long term plan, so don’t try to tackle every behavior in your first year. Start simple. Some behaviors may require further analysis.
Let’s take browsing for instance. As you dig into the data, you find that users are able to open websites that have been categorized by your proxy filtering solution. You block the bad stuff—malicious, inappropriate content, gambling, etc. But what about those new websites, you know, the ones attackers like to host their malware on. Do you allow traffic to those websites? Most proxy solutions have a method for you to post a banner or warning to the user, letting them know a site has been blocked and why (it’s been categorized as malicious).
So, part of your strategy might be to leverage existing technology to stop users in their tracks. Another part could be to design a banner page explaining WHY a site is potentially bad, along with a way to gain access to and register for the site, so users can do business if they think the risk is low.
It’s not training, it’s culture change.
Security awareness programs over the years have been lumped into the “training” category. Don’t jump right to the “let’s give them training” camp. Security Awareness is about a culture change, communicating the security posture of the organization.
If your organization is regulated, you are required to provide annual mandatory training for security. The typical default for this training is a CBT module, because it’s easy to track and demonstrate compliance. But don’t stop there. In order to influence change in behavior and culture, you need ongoing communications and content, not just once a year. This is where building a catalog of content and available resources is necessary. Build a portal where you can post newsletters, alerts, and videos so your users come to you. Build a calendar of themes for the year either by month or quarter, but allow for flexibility. This allows you to address new threats that affect your organization or industry.
You can’t do this alone. Yes, you may be the only one officially assigned to this task, but building your informal network and team will help you get your program off the ground. First and foremost, find a senior leader to champion your program, someone who understands the value the program and will go to bat with their peers. This will help build confidence in your program and make it more visible.
The next group you should befriend is your corporate communications and marketing teams. This group typically holds the keys to getting your message out. That intranet page? Those teams control the content appearing above and below the scroll.
Building a program takes time and resources. If those are limited, start small and grow as your program gains credibility. Use small wins to demonstrate value and then expand those resources. There are also plenty of free resources available to help get you started.
Recommended reading: If you’re looking for more knowledge on how to change organizational behavior, I suggest getting a copy of SWITCH, How to Change Things when Change is Hard, by Chip Heath.
Next week, part 2 will cover how to add the right content to your program. Read part 2 here.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.