When I was asked to keynote a CSO event four years ago, I was pleasantly surprised to find that security culture was the top concern of the CSOs in attendance. Having performed many security assessments and penetration tests, I can tell you it is sadly obvious that even the best technical security efforts will fail if the company has a weak security culture. At the time, I was heartened to see that CSOs were moving past straight technological solutions and towards instilling a strong security culture as well.
In the intervening years, the perceived importance of security awareness programs has seemed to grow exponentially. And the resources allocated to them have increased as well.
Here is what I would consider the most relevant elements to integrate into a security awareness program.
1. Obtain C-level support
Having C-level support inevitably leads to more freedom, larger budgets and increased support from other departments. Anyone responsible for running a security awareness program should first at least attempt to obtain strong support before focusing on anything else.
Yes, getting this level of support can be difficult, but there are certain best practices that will improve your chances of success, including highlighting the fact that security awareness is required for compliance and that awareness efforts will inevitably save the company money. Creating materials specifically for executives, such as newsletters and short articles highlighting relevant news and tips can also help garner that much-needed support.
2. Partner with key departments
Successful awareness programs find a way to involve other departments, such as legal, compliance, human resources, marketing, privacy and physical security. While it is easier to get this support if you already have C-level support, these departments frequently have mutual interests and might be amenable to providing additional resources, such as funding or distribution. Frequently, these departments can make security awareness efforts mandatory. For example, the legal and compliance departments carry a great deal of influence throughout the organization and can make security awareness a required component of other processes, such as new hire indoctrination.
To obtain this support, you might have to incorporate the needs of the cooperating departments with the general security awareness efforts. For example, you might suggest that you can use a security awareness newsletter to include compliance content. If it gets you the support you need, the effort is definitely worth the trouble.
It is also worth noting that most organizations require the involvement of other departments. For example, you may need to have corporate communications approve and distribute materials to employees; they likely have policies that govern how materials are to be distributed and the formats of those materials. You need to discover issues like this as quickly as possible.
3. Be relevant
It seems like most awareness programs are a standard check-the-box program, and content is driven by a list of potential computer-based training videos. As was demonstrated by the attempted Syrian Electronic Army attack against this publication, awareness programs that focus on timely information can be successful and prevent attacks.
The attacks don’t have to be imminent against your own organization, though. There is plenty of fodder for relevant information. WannaCry was an excellent example of a cybersecurity related issue that received mainstream attention. Hacks against major retailers are another example of security issues made mainstream. Your awareness program should make regular use of these attacks to demonstrate the relevance of your efforts. This, in turn, motivates your users to follow your advice.
4. Measure success
One of the key factors in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiating new awareness efforts. Without establishing a baseline, it is hard to demonstrate that your efforts had more than assumed success.
The metrics can include surveys on attitudes. They could also include the use of phishing simulation tools before and after awareness training. You can also examine the number of security related incidents reported to the help desk, the number of virus incidents, or reports from a webcontent filter that give the number of attempted visits to banned websites. When you can show measurable improvements in any aspect of security, you can better justify your program and obtain additional funding and support. Just about every department in a company has to prove its value, and security should not expect to be an exception.
5. Be the department of how
Too frequently security departments seem to be the “Department of No”. They focus on telling people what they shouldn't do, when the reality is that people will find a way to do whatever they want to do. While I acknowledge that there are clearly some actions that should not be allowed, those should be the exception rather than the rule.
Awareness efforts that focus on how to accomplish actions safely are more successful than those that focus on telling people not to do things. Ideally, awareness programs should tell people how to interact with information securely both at the office and at home. For example, instead of telling employees that they shouldn't be on social networks, teach them how to safely use social networks.
6. Incentivize awareness
Create a reward structure that provides incentives based on actual behaviors demonstrated by employees. While it might not be practical for all organizations to implement this type of comprehensive gamification program, there is still the opportunity to implement some incentives and reward people for appropriate security behaviors.
For example, you can reward people for reporting potential security incidents. Such incidents may include the reporting of phishing simulation messages. Find as many ways as possible for users to demonstrate good behaviors, and create an appropriate reward structure. (This article is good background reading on incentivized awareness: https://cybersecpsych.com/2017/06/19/cognitive-dissonance-in-the-end-user-examining-attitude-for-behavior-change.)
7. Use a variety of awareness tools
While there is a place for computer-based training modules, too many programs rely on them completely as an awareness program. The most successful programs incorporate a variety of awareness tools, including newsletters, posters, games, newsfeeds, blogs, phishing simulations, etc. The most participative efforts appear to have the most success.
Another issue to consider is that materials should take into account the different demographics of your users. Diversify your materials to appeal to as many users as possible. There is definitely no such thing as "one size fits all" security awareness.
This is by no means an exhaustive list, but an excellent starting point. Remember, habits drive security culture, and there are no technologies that will ever make up for poor security culture. Awareness programs, when properly executed, provide knowledge that instills behavior. While most security professionals believe that good security behavior is a matter of common sense, the reality is that common sense is based upon common knowledge that needs to be made even more common.