Without awareness, there is no security. Truly an inseparable pair!
This is Day 4 of RSA Conference 2018, and the Terranova team has been engaging in some interesting conversations. You have expressed views and concerns regarding Information Security Awareness (ISA). And we are taking notes!
The article that follows discusses the first phases of implementation of a security awareness program. What goes into the analyzing and planning stages of an effective program for cybersecurity awareness? How do we begin? Here is Tom’s story.
Tom went to the office on Monday. He noticed that the security awareness program, which he had been working on for the past weeks, would not be ready on time. Something was missing. Over the weekend, after chatting with peers, he came to the realization that his program was incomplete. It had no clear roadmap, no thorough preparation phase. In fact, C-level executives have not even approved the budget. He had forgotten to include business leaders in the early stage of the security awareness program.
What did he do, you ask?
Well, he paused for a little while.
Then, Tom got back to work.
He researched. His investigation allowed him to discover the following article, published March 2018: Tailor the Right Program for Your Business! That is when it hit him. “I need more than a check-the-box program,” he thought. “I want to implement a program that is complete and effective, which will generate results and instill a long-lasting culture of security across my organization.”
Tom understood that a successful security awareness program was composed of key elements, including a clear communication strategy – collaborating with several groups in the organization – an analysis of the actual risk landscape affecting his company and end users, and ultimately, a clear plan to move forward. And so, Tom began such analysis.
A Clear Communication Strategy Gets Your Message Out There
We have all heard the saying: “Communication is key.” Well, as cliché as it sounds, it is true. No message will reach its destination without a coherent and consistent communication strategy that has been specifically designed to appeal to a well-defined audience – in this case, corporate stakeholders. If you want your security awareness program to get the funding it needs, then you must build your case accordingly. Look into the different areas of vulnerability that impact your business. Do you spot any common trends? If so, take note. What security professionals should understand is that business leaders need to feel compelled by your message.
Therefore, stating your case before upper management, you have the opportunity to present a concise overview of the current security standing of your organization, coupled with strategic objectives, as well as approach and metrics. In such occasion, you effectively obtain their attention and support.
Likewise, as you define your audiences for your security awareness program, you must frame your message, using the right communication tools. This is also part of your communication strategy. Your program, and its message, directly shape the overall workforce and organization.
This also means that you have involved internal communications and HR specialists early in the process as they provide important insight on the strategy itself, as well as the various audiences that form the pool of participants for your security awareness program. Such considerations are fundamental to pre-implementation. Establishing a communication strategy in the early phase of the program signifies that you thought about key actors and how each group will take part in the collaboration. This gives weight to your case – especially in the eyes of corporate executives – as it becomes a business-wide initiative, involving participation at all levels. Also, make sure to highlight who signs the campaign message as this element indicates to audiences that upper management supports the security awareness initiative. If the signatory holds an executive position, your program will acquire added value and have considerably more impact on end users – as they will recognize that upper management is leading by example.
Know Your Organization’s Risk Landscape
Security awareness programs imply behavioral change. Through an effective awareness initiative, organizations seek to improve end user performance regarding cybersecurity. Regardless of the audience, information security best practices represent the nucleus of the overall message. To achieve such result, security professionals must spend a little time getting to know the organization’s primary areas of concern. This means making use of pre-campaign surveys or evaluations to test end user knowledge about cybersecurity best practices. Before you can even deploy training opportunities, you need to know what content best suits a particular group versus another.
Analyze your audiences. We use the plural mode deliberately here as your security awareness program will include a range of campaigns, each geared toward a specific group. Each audience will demand a training curriculum that is adapted to their needs, roles, and their capacity to understand awareness material. Therefore, to successfully carry out a security awareness program, you must evaluate such elements and incorporate them into your campaign objectives. This will help you set the goals for both your campaigns and cybersecurity program.
Planning your security awareness initiative
Your program requires a high level of preparedness. Security awareness does not happen in a vacuum. In fact, your plan serves as your roadmap that will steer your program one direction, versus another, and set the tone for any subsequent campaigns. Once you have established your objectives, you are ready to map out the metrics and measures that will help you track the progress of your objectives.
Going back to Tom’s story, we notice that he has not engaged any colleagues from fellow departments, notably HR, communications, compliance, and IT. Moreover, he has failed to include upper management in the equation. Indeed, before you deploy any security awareness program, you must engage key actors. Together, you form an alliance. And many tend to agree that power often comes in numbers. From the perspective of corporate executives, you make a far more compelling case – one that has gusto. No security professional should underestimate the role of planning when it comes to selling the idea of a security awareness program to colleagues and senior management alike.
On this note, planning for a thorough program implementation entails the launch of multiple campaigns, focused on specific themes, seeking to engage and inform various audiences. By planning, you optimize your efforts in end user engagement. Since you know your audiences, you have the ability to promote the most strategic communication material. More importantly, you have just added considerable value to your security awareness program.
Your organization. One program. One voice.
Tom understood that he must align the security awareness program with the needs of his organization as well as its various audiences. To do so, he needed the approval of senior executives and the participation of colleagues. The best way to engage such groups was to analyze vulnerable areas, set clear objectives, and establish metrics. You accomplish these actions by planning early, prior to program launch, and relying on strong communication material that will ensure engagement within your organization. Only then, will your program adapt to your organization and its end users.