By Jason Hoenich on Feb 20, 2019
It’s been a few months since the last webinar, but Habitu8 founders Jason Hoenich and Chad Loder are all in on this installment with information security pro Shayla Treadwell. Shayla will answer the question that nobody is asking but everyone should be asking: What the heck is a security awareness strategy?
Before diving in, Jason reminds the crowd that—wait, really?—there are tons of free guides and resources and even free videos on the website for download. The videos are all entertaining and designed with empathy in mind, because that’s just how Habitu8 works. There’s a free trial, too, so you should probably sign up for that before reading about what it takes to craft a security awareness strategy.
You already know Jason and the once-frustrated CISO Chad, so let’s get to know Shayla. Shayla is an organizational psychologist and information security professional who cares about transforming organizations and understanding how people learn and receive information in order to strategically build awareness programs that work.
Jason became an applause-happy superfan of Shayla at a security awareness summit last year, where she spoke about using behavioral psychology and marketing tactics to craft security awareness strategy—and it all resonated with Jason, who couldn’t stop clapping and cheering because it was all “100 percent spot-on.”
People think that strategy and planning are the same thing, so they either don’t plan or don’t strategize. But they’re not the same thing! When you start strategizing, it can change the way you deliver messaging and content, which is the planning piece. Chad hits it on the head: People jump in and want to start fixing stuff right away, but you miss the strategy side of things and create false starts and poor execution.
Strategy is a necessity for success, and the best strategy starts with understanding risk-based awareness and leveraging incident information. And there’s more to security awareness than following or planning around best practices, which makes Jason wonder: Who even wrote these best practices? It doesn’t seem like they were written based on actual experiences. They don’t really work in the field. We all agree.
Either way, Jason’s excited, Chad’s excited, and Shayla’s ready to lay some knowledge on us.
Strategy vs. Planning
Shayla launches into the most basic way to understand the difference between planning and strategy, which, by the way, must be flexible.
- Strategy is the framework for making decisions. It’s literally saying, “If this thing happens, then this other thing happens.”
- Planning is the process of thinking about what you’ve got to do to achieve a desired goal.
Now that that’s out of the way, Jason says what we’re all thinking: Strategy is so hard to do! Shayla responds: It’s not hard; it’s just a different way of thinking about things.
What does she mean? There are plenty of competencies required for the field of security awareness, and these professionals have to be highly analytical people who can understand compliance. But the one competency missing and never acknowledged is strategy. If a security awareness professional wants employees to make the right decisions, they’ve got to be able to create a strategy to make employees want to make that decision.
Strategy vs. Leadership
But wait, there’s more! Along with the ability to tackle strategy is the quality of leadership. Leaders create environments where answers can be found—they don’t create the answers themselves. Although plenty of security awareness professionals have been asked to step up and lead, they haven’t been asked to be strategists, which goes hand in hand with being a leader.
Everyone on the webinar gets super excited and throws out a bunch of books on leadership we should all be reading:
All this leadership talk prompts Jason to suggest that security professionals need to ask what they aren’t getting from their current leaders. Shayla follows up with a caveat: In the security field, a lot of times companies have one-person teams. Although a solo security professional might not feel like a leader, there is such a thing as an informal leader. You might not have a title, but you’re constantly influencing people.
Jason gets this, because he was once that guy happy to sit in the back of the cubicle and fly under the radar. Once he realized that, if he wanted to effect change and be a leader, he actually had to speak up.
The takeaway? Be in the conversation! The only way to change your awareness program and build a culture of security is to speak up, embrace the leadership role, and start strategizing.
Creating the Strategy
To build a strategy for awareness, Shayla says, you’ve got to start by understanding external threats. She recommends spending about 20 percent of your time understanding external threats because that information will help you shape conversations you have with leadership.
But wait, Chad says, what if you don’t have a response team? What if you’re in a smaller, bootstrapped environment and don’t have a specialized team? Shayla’s advice is simple: Watch the news every single day! Yes, it’s as simple as that. Chad loves this tactic, too, because if your employees are seeing things in the news, it puts you in a position of being able to assess risk and act as a better resource for employees.
Jason calls it homework, and Shayla says that to be a security awareness professional, you’ve got to be a lifelong learner. You’re constantly having to learn and ingest information, and you’ve got to be able to convey all of that to your employees in a way that is accessible and makes sense. Basically, if you can walk into a fifth-grade classroom and explain phishing to students, you’re doing really well as a security professional.
Next up, check in with your incident management team and get in sync with what’s happening in your internal environment and incident response:
Understanding this lifecycle and root-cause analysis, Shayla says, is important because incidents can escalate into crises and disasters, which is what you want to avoid. Chad delivers a solid example:
- Why did this incident happen? Someone used a default password on a router.
- Why did they do that? They weren’t trained.
- Why weren't they trained? They’re a contractor, and we don't train contractors.
Boom! The resolution is training contractors.
Lastly, you’ve got to understand your organization’s risk appetite by looking at probability versus impact. Start by looking at your policies and see what they say, because a lot of organizations think they’re risk averse and don’t have the right language on the books to handle risk.
Shayla shares a pretty hilarious banana factory scenario to explain that risk appetite is about looking at all the possible scenarios your organization faces, and what the appetite is, and making sure you’ve got training in place to avoid risks from a human perspective.
What are the major takeaways?
Here you go:
- Strategy is a necessary competency to build effective information security training and awareness programs.
- Strategy and planning are different, but each is necessary.
- Focus on understanding the external threat environment to help guide awareness and training.
- Leverage incident information in your organization to know what training gaps you have in your organization.
- Know your organization’s risk appetite to understand the parameters of your training.
Does strategy follow any frameworks?
Most frameworks, including NIST, end up having similar approaches when it comes to determining acceptable risks, and Chad says it’s better to start there than work against the grain of the organization. Shayla says to look at NIST 800-16, ISO, and COBIT but that, no matter what, you can’t fail with any of them. Sometimes leadership will ask for some kind of regulation or framework that you have to use. Just clarify the difference between the strategy and the framework.
Watch the webinar here. Don't forget to download the notes from the webinar!