What it takes to build a successful security awareness program

Ira Winkler, CISSP, president of Secure MentemWhen I was asked to keynote a CSO event four years ago, I was pleasantly surprised to find that security culture was the top concern of the CSOs in attendance. Having performed many security assessments and penetration tests, I can tell you it is sadly obvious that even the best technical security efforts will fail if the company has a weak security culture. At the time, I was heartened to see that CSOs were moving past straight technological solutions and towards instilling a strong security culture as well.

In the intervening years, the perceived importance of security awareness programs has seemed to grow exponentially. And the resources allocated to them have increased as well.

Here is what I would consider the most relevant elements to integrate into a security awareness program.

1. Obtain C-level support

Having C-level support inevitably leads to more freedom, larger budgets and increased support from other departments. Anyone responsible for running a security awareness program should first at least attempt to obtain strong support before focusing on anything else.

Yes, getting this level of support can be difficult, but there are certain best practices that will improve your chances of success, including highlighting the fact that security awareness is required for compliance and that awareness efforts will inevitably save the company money. Creating materials specifically for executives, such as newsletters and short articles highlighting relevant news and tips can also help garner that much-needed support.

 2. Partner with key departments

Successful awareness programs find a way to involve other departments, such as legal, compliance, human resources, marketing, privacy and physical security. While it is easier to get this support if you already have C-level support, these departments frequently have mutual interests and might be amenable to providing additional resources, such as funding or distribution. Frequently, these departments can make security awareness efforts mandatory. For example, the legal and compliance departments carry a great deal of influence throughout the organization and can make security awareness a required component of other processes, such as new hire indoctrination.

To obtain this support, you might have to incorporate the needs of the cooperating departments with the general security awareness efforts. For example, you might suggest that you can use a security awareness newsletter to include compliance content. If it gets you the support you need, the effort is definitely worth the trouble.

It is also worth noting that most organizations require the involvement of other departments. For example, you may need to have corporate communications approve and distribute materials to employees; they likely have policies that govern how materials are to be distributed and the formats of those materials. You need to discover issues like this as quickly as possible.

3. Be relevant

It seems like most awareness programs are a standard check-the-box program, and content is driven by a list of potential computer-based training videos. As was demonstrated by the attempted Syrian Electronic Army attack against this publication, awareness programs that focus on timely information can be successful and prevent attacks.

The attacks don’t have to be imminent against your own organization, though. There is plenty of fodder for relevant information. WannaCry was an excellent example of a cybersecurity related issue that received mainstream attention. Hacks against major retailers are another example of security issues made mainstream. Your awareness program should make regular use of these attacks to demonstrate the relevance of your efforts. This, in turn, motivates your users to follow your advice.

4. Measure success

One of the key factors in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiating new awareness efforts. Without establishing a baseline, it is hard to demonstrate that your efforts had more than assumed success.