Your Information Security Awareness Program

In this inaugural blog post I want to cover my favourite subject - Information Security Awareness. 

About four years ago I was at a conference in Malta and was lucky enough to see a presentation by Lance Spitzner. That day Lance spoke about how to implement an information security awareness program and it was one of those ‘right place and right time’ moments for me (And yes, I’ve since told Lance that he's my hero). My organization had little or no awareness program in place at the time and certainly nothing formal. When I went back to work I went about implementing a program and have been developing it ever since.

So much of what I initially worked on was based on the SANS Security Awareness Maturity model.

I found this useful for two reasons;

1. Each phase highlights exactly what is needed to be at that level of maturity so I didn’t have to create anything new.

2. Whenever I was challenged on why I was doing something I was able to say that this was industry best practice that defined how to mature our program. This always seemed to be the perfect answer I needed.

Security Awareness is probably the areas of Information Security I am most interested in and I‘m constantly trying to find new ideas, which would be suitable to use for my company.  

While there are many aspects of a successful Security Awareness program the ones I have seen as being of most value include

• ·      Getting senior management support. Without this you simply will not get traction, no matter what the size of your organization. I was lucky enough to have this and it has been the main reason for the program's success. This should be a priority.
• ·      Developing a network of information security champions to act as a network of ‘change accelerators’ in your business. You cannot do all of this yourself and a champions’ network allows flexibility to deliver messages on the group and, more importantly, provides an essential feedback loop to you on what is working and what is not.
• ·      Consistency. Developing a program takes time. Deliver your program on a consistent basis and through varied channels to keep it interesting.
• ·      Metrics. This is a difficult area (and one I will focus on specifically in future) but one I cannot stress enough. Measure your program and tweak the metrics over time to help drive the maturity and justify your activities and planning.
•     Don’t be limited by lack of money. I have done so much without much money at all. The resources are out there. All it really takes is the will and the consistency. (That said, a small amount of money is inevitably required for things like phishing testing and prizes).

Whether you are at the start of your awareness development or if you think you are already quite mature, there is a range of excellent resources you can pull from. Some of the ones I have found most useful are outlined here;

• ·      Recent SANS webcast (with Lance Spitzner) outlining the ‘Top 7 Human Risks’
• ·      The SANS ‘Security Awareness Planning Kit’ (for more information on the Security Awareness Maturity model). A range of SANS resources is available here.
• ·      Microsoft Security Awareness Toolkit

The one thing I would like to finish on is that, while related, security awareness and behaviour change must be seen as two different things. That is why I feel I the security awareness model is not enough. How I have taken this to the next level by starting to implement, track and measure behaviour change will be the subject of a future blog post.