How to Stimulate Organizations’ Security Awareness Training Programs
We all know how important security awareness training is for an organization. Moreover, we try to enhance our efforts by weaving security into the “culture” of the organization. Yet, from the employee’s perspective, it all gets very stale. It seems like it is always the same message, but if that is the case, why hasn’t this knowledge been adopted into the corporate consciousness? Perhaps it is our approach. We asked a panel of experts for some ideas about how to stimulate and invigorate security awareness training in an organization. Here are their thoughts:
In terms of rejuvenating a security awareness program, there are several approaches I take. Firstly, I ask you to remember you’re dealing with people, and people don’t like to be talked ‘at.’ They also don’t generally like to be bored! It doesn’t matter if you’re speaking to the global head of the business or the new intern just starting out. They are people. People with hopes and dreams, fears and uncertainties. When you’re putting your security program together, you must first seek to understand the people as well as the organization. After all, you can’t protect what you don’t understand.
Understand where the data is and what the touch points for that data flow are – technical, physical, and human. Speak to the head of IT, Human Resources, Operations, Marketing, Sales, and Finance to understand how they feel about information security. Ask them what concerns them most about information security. Ask them what has worked previously to raise awareness of other topics (such as H&S). Ask them what would they find most useful in terms of Information Security. At that point, you can start to see where some of the issues are and also whether any potential single points of failure or ‘blockers’ might exist. From here you can begin to build your information security program from a place of awareness and understanding. First, seek to understand, then be understood. But in order to be understood, you must make your message memorable, so be creative and think about your topic from the point-of-view of the consumer (i.e. your organization). You want them to buy into your message, so be clear on what that message is. Also, be willing to be bold and do something different. Approach information security like a storyteller and create something exciting to be involved in. It is possible. I know because I’ve seen it and done it.
I know lots of people who have experienced the challenge of refreshing a security awareness program. The important thing is to know where you’re at. If you want to make progress on the human side of security in your organization, you have to know what you’re dealing with. For me, that’s about really understanding the existing culture of the organization. What kind of culture do you have in general? What kind of security culture do you want to advance and develop? To achieve that, you’re looking at values and behaviors. You’re looking at senior leadership and all of these different factors. Only when you know what you’re dealing with can you then make a plan to move forward.
Often, when you’re planning to move forward, you’re looking at a specific point that you want to reach with the security culture. So, what do we do? What behaviors would actually reflect that culture? If we want to get to those behaviors, what awareness raising do we have to do to positively influence those behaviors? For that, you’re looking at a mixture of where you want to get to, where you are now, and what kind of threats you are facing that are most paramount. You can’t deal with all of them at once, but the best approach is to pick the ones that are most relevant to your organization, the ones where you want to see the most progress, and begin with that focus.
Maurice Uenuma | LinkedIn
While this is not a new idea, it is still so important to focus on security culture because people still remain the greatest attack surface and most vulnerable attack surface in any organization. So, training, education, awareness, and culture are going to be important. Being able to protect virtualized and containerized environments going forward, the integrity of critical systems, and understanding the state and the changes occurring on those critical systems are also very important. Finally, control system cybersecurity must be addressed as well.
I always concentrate on application security and software security because that is my focus. Every company that makes custom software needs an application security program. That’s what I teach at the WeHackPurple Academy. Just talking to developers and figuring out what their system development life cycle looks like is also vital. Questions such as “Are you doing agile?” “Are you doing DevOps?” And then figuring out where you can weave security throughout it with the least amount of friction. There are always places where you could drop little things in and help improve the security. Educate your developers by showing them examples such as what happened with the SolarWinds event and then showing how they could prevent that in this environment.
I’m a firm believer in supporting the developers and making secure software rather than coming in and whacking them with sticks. I would say to any company, “If you have a whole bunch of software developers under you, then you should also have a program to support them and make sure that they create more secure software.” Sometimes, it doesn’t need to be expensive. It depends on what level you’re at.
In terms of what I do with security awareness, I would recommend engaging with the people that you are trying to educate. Oftentimes, we have this view that humans are the weakest link, so we put a security awareness program on a computer to teach security awareness training, but we are not actually engaging with the target audience. You have the consumer who’s going to consume the product, but if you don’t know what or how the consumer communicates, what their struggles are, or what their understanding about security and safety involves, you lose them.
The best way is to hold some question and answer sessions as well as conduct a survey. Also, visit different departments to see what they’re struggling with and what their communication language is. Have different ways to go about that. The security training could be an annual process, but you could have different events, different games, and different ways to communicate security to them in a way that you’re engaging with them.
Sometimes, I feel like we create things, but we don’t actually realize the audience that we’re talking to, what resonates with them. Focus less on what you’re supposed to do and focus on the end goal. And then, examine how you can get to that angle, even if it’s somewhat unconventional, to drive home a point. We see some security platforms and security awareness training do that, but it’s possible to really hone it, realize that it is okay to “let loose,” and allow security to be something that blends education and entertainment.
A personal touch in Security Awareness Training matters
Many times, the failure with security awareness programs is not the message but the medium. Most of our experts express that an interpersonal connection can make the difference, elevating the often stereotypical security messages to new, more effective heights. Even if your company is a global enterprise, there is a way to make each and every employee feel that they are part of the process towards a unified security approach.