Surround yourself with a strong multidisciplinary team
Implementing a security awareness program is a big project that should be evolving and continuous. This type of project has a ripple effect that will extend beyond the team, unit or department initially targeted. Sound management of such a program depends on the establishment of a complete security awareness team. This team is given the responsibility of managing all the phases of the project (analyze, plan, deploy, measure and optimize).
What is the mission of a security awareness team?
Operational mission
The first mission of a security awareness team focuses on operations. Operational support encompasses management of the financial, human and material resources required to achieve the objectives of the awareness program. This mission consists of:
- Facilitating access to resources (human, financial and physical).
- Identifying the tools needed for effective program management.
- Helping identify the methods for communicating results as well as potential relayers of the information within top management.
- Conducting the necessary follow-ups to guide the process or correct the gaps noted in awareness activities.
- Coordinating the program’s deployment phases.
- Establishing priorities, coordinating awareness activities and determining the type of support needed for carrying out the activities.
- Making the necessary decisions for appropriate management of the project (additional resource allocations, review of project scope and implementation deadlines, etc.).
- Identifying experts who can provide their professional opinion as needed regarding issues that require specific knowledge that the team does not have.
Strategic mission
The security awareness team must also act strategically and provide the leadership needed for each phase of the cyber security awareness program (analyze, plan, deploy, measure and optimize) by carrying out the following activities:
- Obtaining support for implementing the different phases of the program.
- Demonstrating how the campaign fits into the organization’s strategic direction.
- Incorporating the behavior change proposed by the program in the organization’s policies, procedures and documents.
- Promoting the target audience’s appropriation of this behavior change and its compliance with the awareness program.
- Helping identify the best communication strategies and the objectives to be pursued by the awareness program.
- Helping identify priority targets and learning needs.
Who should be on the security awareness team?
The security awareness team goal is to create a structure that brings together individuals in key positions who have diverse skills that will ensure the success of the cyber security awareness program.
The following members are considered essential to the creation of a security awareness team:
The Program Sponsor is typically a member of senior management who instigates the program. The Program Sponsor’s main responsibilities are to maintain effective communication among the parties and to ensure that sufficient funds are available to implement the events planned.
The Project Manager reports directly to the Program Sponsor and ensures that the program is well managed. The Project Manager is responsible for operational management activities related to the program’s implementation. The Project Manager coordinates and ensures the completion of all the program phases of the cyber security awareness program (analyze, plan, deploy, measure and optimize) and approves the format and content of the program’s awareness activities.
The Communications Advisor outlines and manages the communication strategy for the deployment of the awareness program. As with any other organizational initiative or change, a cyber security awareness program must be announced and explained to the intended audience. The Communications Advisor develops the communication plan and supervises the implementation of the activities under the plan.
The Subject Matter Expert produces the content to be used for the activities carried out under the cyber security awareness program. This key player in the creation of various content formats (online courses, reinforcement tools, videos, phishing simulations, etc.) guides the selection of security risks to be covered by the awareness program. The Subject Matter Expert is selected from among the members of the security team.
The Security Awareness Platform Administrator ensures that the technology is working properly and the awareness program is running smoothly. The Administrator configures and manages the security awareness platform platform or manages functional testing and ensures that all employees have access to the content deployed.
One word of advice: the security awareness team should be as small as possible so that it can be easily coordinated, because the more members it has, the more complex the communication process. It is therefore important to involve only the few people who are indispensable to the rollout of the awareness program. The security awareness team is free to collaborate with experts (statisticians, translators, graphic artists, etc.) from time to time when it has a need for outside expertise.
Lastly, keep in mind that the size or composition of the security awareness team can change with time. It is therefore important to maintain a common vision of the intended objectives and to clearly define the role of each team member and establish a good work pattern. The proper functioning of a security awareness team also depends on having a work climate based on mutual trust and respect for each other’s expertise. With these elements in place, all the conditions will be right to ensure a seamless rollout of the cyber security awareness program.
Learn more about setting up a security awareness program and team in this eBook:
Download The Human Fix to Human Risk eBook
Download “The Human Fix to Human Risk,” to learn about Terranova’s simple five-step framework for implementing a comprehensive security awareness campaign that effectively changes employee behavior.