Building a Security Awareness Program? Start with Strategy and Goals
Part 1 of a 4-part series on building and maintaining a security awareness program, in support of Cybersecurity Awareness Month. #BeCyberSmart
I’ve been with Cofense for two and a half years now interacting with several groups internally, but there are plenty of moments when I still get to chat with Awareness professionals. It’s in these moments that I realize there’s still some passion for helping others with their programs. I wrote this series early in my first few months of joining the organization and find these are still the recommendations I provide to others building or maturing their programs.
In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent five years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director who owned the role, “Compliance focus is wrong –you have to market to the users.”
Seven years later, I have a few tips to share about creating a security awareness program. The first tip might sound obvious, but how many times have you seen it ignored? Make sure you have a strategy. And while you’re strategizing, remember to set some goals.
Ask your SOC for help.
Before you can begin to build your program strategy, reach out to your Security Operations/Incident Response team. This team should be your best friend—and YOU will become theirs. They genuinely care about protecting your organization and you will be a breath of fresh air to them. But you will most likely need to remind them that they have the “Curse of Knowledge” (week-two book suggestion) and they don’t remember what it’s like not to know something. They’ve been doing technology and cyber too long to put themselves in the shoes of the user, so that’s where you step in.
What to ask them? They have lots of data and metrics. They most likely can give you a number of high risk incident categories that they track. What are the top two or three categories that ….? How much time does it take to remediate each of these incidents—for the user and the highly skilled technical staff?
Once you have identified the top behaviors for your organization, you can now begin building a program by outlining strategy and goals. Remember that a strategy is a long–term plan, so don’t try to tackle every behavior in your first year. Start simple. Some behaviors may require further analysis.
Let’s take browsing for instance. As you dig into the data, you find that users are able to open websites that have been categorized by your proxy filtering solution. You block the bad stuff—malicious, inappropriate content, gambling, etc. But what about those new websites, you know, the ones attackers like to host their malware on. Do you allow traffic to those websites? Most proxy solutions have a method for you to post a banner or warning to the user, letting them know a site has been blocked and why (it’s been categorized as malicious).
So, part of your strategy might be to leverage existing technology to stop users in their tracks. Another part could be to design a banner page explaining WHY a site is potentially bad, along with a way to gain access to and register for the site, so users can do business if they think the risk is low.
It’s not training, it’s culture and behavior change.
Security awareness programs over the years have been lumped into the “training” category. Don’t jump right to the “Let’s give them training” camp. Security Awareness is about a culture change, communicating the security posture of the organization.
If your organization is regulated, you are required to provide annual mandatory training for security. The typical default for this training is a CBT module because it’s easy to track and demonstrate compliance. But don’t stop there. In order to influence change in behavior and culture, you need ongoing communications and content, not just once a year. This is where building a catalog of content and available resources is necessary. Build a portal where you can post newsletters, alerts and videos so your users come to you. Build a calendar of themes for the year, either by month or quarter, but allow for flexibility. This allows you to address new threats that affect your organization or industry.
You can’t do this alone. Yes, you may be the only one officially assigned to this task but building your informal network and team will help you get your program off the ground. First and foremost, find a senior leader to champion your program, someone who understands the value the program and will go to bat with their peers. This will help build confidence in your program and make it more visible.
The next group you should befriend are your corporate communications and marketing teams. These groups typically hold the keys to getting your message out. That intranet page? Those teams control the content appearing above and below the scroll.
Building a program takes time and resources. If those are limited, start small and grow as your program gains credibility. Use small wins to demonstrate value and then expand those resources. There are also plenty of free resources available to help get you started.
Recommended reading: If you’re looking for more material on changing organizational behavior, I suggest getting a copy of SWITCH, How to Change Things when Change is Hard, by Chip Heath.
Next week, part 2 will cover how to add the right content to your program.