By Jason Hoenich on Oct 7, 2017
So. Security awareness just appeared on your radar, and you haven't a clue what it really is, how to do it, and where to begin. Welcome my friends, to the show that never ends...but stress not!
As a security awareness expert I've built world-class programs for household names like The Walt Disney Company, Sony Pictures Entertainment, Activision Blizzard, and I'm ready to share what I learned from these real-world experiences to provide you with actionable guidance.
I'm going to make a few assumptions. You are likely:
- CISO/CTO/CIO/CSO etc. Your job is to answer the board or executive leadership. They want to know if/how we're handling "the human risk" in the company. Awareness rolls up to you.
- Infosec Analyst (of varying levels). Likely from the technical side of information security, you've shown some ability or interest in communicating risks to users, possibly unknowingly volunteered yourself as the person to start security awareness "stuff" at your company. It's a bit of a break from the SIEM logs, vulnerability scans, threat intel, and associated reporting and powerpoint decks you typically focus on. You report up to the big guy/gal in charge (see #1).
- Corporate communications specialist, marketing "guru", or VP level of communications. You have been given the responsibility of helping the CISO/InfoSec team with creating some "awareness material" and need to make sure they don't screw it up. You are likely working with roles above...
- You are the IT Department. You build the network, provision user accounts, block phishing emails, fix printers, clean up malware, talk to users daily, etc. THE COMPANY WOULDN'T SURVIVE WITHOUT YOU.
Wherever you land, you're likely new to security awareness program management. Your exposure thus far ranges from really awful CBT modules, rogue phishing training emails, some sh*tty posters you've seen, and maybe some really poorly produced videos with some low-grade content (that you wouldn't even leave on for your pet's entertainment during the day). Or maybe you've been inspired by some cool programs at other companies, and you want to model those?
This is simple. You need a really good plan. Then you work it.
I see a lot of articles and guidance out there in the industry from vendors and security experts on how to run security awareness, and I chuckle because most of the guidance is founded upon theory and very rarely is it founded upon real-world experience.
The only reason I've been as successful as I have is that I've built those programs using a template I've curated after years of failures and successes. Each time I learn something, I update my program plan.
I can't stress enough just how powerful this program plan template is. I've shared it with a lot of my peers in the awareness industry and the feedback I've received is that it is very, very helpful and a fundamental resource for their programs.
YES, YOU CAN USE IT! - CHECK IT OUT HERE.
Awareness of the Awareness
I actually don't like the term awareness. I try to get my leadership to think of this program as similar to marketing - I like to call it Security Marketing. What we're doing is no different than what advertisers are doing every day - getting us to make a behavior change to do something that benefits their company. Drink Coke, wash your face with Noxzema, eat Lay's chips (betcha can't...). We're going for a behavior change with our end users. Stop clicking links, use stronger passwords, and be careful what you post on social media...any number of other relevant security risks.
Anyway, one thing that happened to me repeatedly for the first few years was every time I wanted to start a new initiative/project (whether it was phishing training, annual training, a campaign around social engineering, etc.), it felt like someone had hit the reset button. I had to go back and ask for approval and justify the reasons for my request, and often times, my role. Time and again it was...
...and it was coming from my senior leadership. Those holding the keys to the budget didn't know what the hell I was even doing for them. That was my fault, so I found a way to resolve the issue. You guessed it - that program plan template I keep mentioning.
Here is what the program plan document helps you accomplish:
- Program mission statement aka the goals of the program
- Defines roles within the program (program manager, program owner, stakeholders)
- Simple advisory board creation
- Personas for training (types of roles)
- What you want to train users on (what risks)
- How you plan on training users
- Major initiatives (outside of compliance/checkbox requirements)
- Feedback methods
- Metrics & reporting cadence
- Key dates & milestones
Don't let this program plan overwhelm you. It can be simple and effective. The benefits of completing this program plan are:
- buy-in from senior leadership & stakeholders,
- a de facto resource you can refer to months down the road in discussions, and
- a workable plan & timeline.
- Each step along the way helps you form your guidance for the next.
Security Awareness 2.0: User Experience
Don't fall into the trap of blindly executing a vendor's product. Vendors have nearly no insight into your culture. They benefit from suggesting you assign a 45-60 minute annual training comprising of 7-10 of their modules. They're selling you their licenses and product. And you know what? You don't need all those modules, you'll likely use 4-6 semi-effectively.
SO DO THIS INSTEAD:
Talk to your users. Ask them what topics are most important to them to learn about. Ask them if they like the content before you purchase something. They will tell you if they do or don't. If they don't, they won't complete the training. And if you have to force them to do it, think about the expectations you're establishing for how they view your program. We even have a page so you can compare vendor videos in the space (I'm a little biased, but think ours are the best).
Ask your leadership what are their top 3 concerns. Ask your people managers what are their most common risks they see.
If you build a program around the needs of your users, and you get feedback from them and acknowledge their input, you will find success much quicker than forcing what you think they need to know .
Get out and hit the proverbial corporate pavement. Dedicate a week to just speaking with leaders across your organization, with managers, and with your users. Have a list of 5-7 questions and go have a 10-15 minute dialogue with as many of these people managers as you can fit into a week or in a few days and start from there.
Surprisingly, you will gather enough intel to be able to highlight 4-5 areas of focus for your awareness campaigns to hit in the first year of the program. And impress the hell out of your management.
Consider questions like:
- Are your users familiar with our security policies?
- What security risks are you seeing every day?
- How could we simplify security for your users?
- What is one security-related annoyance we could fix right now if we had a magic wand to make your job easier?
- What kind of culture does your particular group have? Do they prefer posters? Direct emails? Videos? Rewards?
- Would you be interested in live-training for your team?
Questions like these asked to a targeted cross-section of your population, will give you a roadmap to be successful. You can then take this data, and formulate your plan, including what topics, how you will communicate, and any immediate wins you can focus on.
Hey, thanks for reading our stuff! If you found this helpful, we would really love it if you shared it with others!