The Need for Security Awareness Programs

Agenda 1)The Need for Security Awareness Programs 2)Security Awareness as a Product 3)Phase 1 – Identify Target Audiences and Product 4)Phase 2 – Identify Product Distribution Methods 5)Phase 3 – Obtain Management Support 6)Phase 4 – Product Launch 7)Phase 5 – Effectiveness Assessment 8)Ongoing Enhancements 9)Ideas for Customized Campaigns 10)Conclusion

The Need for Security Awareness Programs Implementing a strong information security awareness program (ISAP) can be a very cost-effective methods of protecting critical information assets. An effective ISAP is needed to help all employees understand:  Why they need to take information security seriously  What they gain from active participation and support  How a secure environment helps them complete their assigned tasks

The Need for Security Awareness Programs Like any other marketing or sales organization, the CISO (Corporate Security Officer/Organization/Office) needs to develop, market, support, and improve a product – in this case, the product is awareness:  Disseminated in several formats  Structured by specific campaigns  Provided by diverse delivery techniques. To bring this product to the customer –employees and management – several phases must occur.

Phase 1- Identify Target Audiences and Product

Phase 1 – Identify Target Audiences and Product The awareness program’s messages (product) must be prioritized and segmented by target audience (general, management, technical, etc.). During this phase:  Campaign themes will be established  Customer audiences will be defined and targeted  The product will be defined ( , mascots, desktop systems, posters, gadgets, others)  Delivery schedules will be defined  Specification for ongoing support will be defined

Phase 1 – Identify Target Audiences and Product (cont) Also during this phase:  Benchmark statistics will be captured (help desk calls, trouble tickets, logs, system level availability, system service calls, incident post-mortem reports)  Success criteria will be defined  Roles and responsibilities for ownership and stewardship will be defined  A pilot group will be selected and informed of their role

Phase 1 – Identify Target Audiences and Product (cont) Budgets must be discussed in this phase!!!!!!

Phase 2 – Identify Product Distribution Methods

In order to bring the product to the target customer in a cost- effective and timely manner, proper distribution channels must be established and schedules developed. The product must be culturally acceptable to the organization, and may be distributed formally or informally. Some distribution will be mandated by management (new-hire orientations, quarterly meetings, or management review processes). In other cases, the product distribution may depend on the target audience (surveys, or drawings). Product may also be distributed by “drop” mechanisms.

Phase 2 – Identify Product Distribution Methods (cont) Potential channels for distribution include:  Audio (voice mail, help center recordings)  Video (kiosks, CCTV, customized or purchased)  Formal Training (scheduled or one-time)  Orientations (new hire, mergers and acquisitions)  Posters (humorous or serious)  “Lunch & Learn” (full cafeteria or special sessions)  Desktop Systems (calendars, Web-based reminders)

Phase 3 – Obtain Management Support

The most successful ISAPs have full management endorsement and enthusiastic support from the highest levels of the company. During this phase:  You will need to be motivator, cheerleader, and politician  Management will receive progress reports and product samples  Schedules for product launch will be formalized  Messages from management announcing the ISAP will be issued

Phase 3 – Obtain Management Support (cont) Also during this phase, certain I/T traditional functions should be noted and executed:  Take the traditional “test” to ”quality assurance (QA)” to ”production” stance  Ensure that activities are listed as formal projects on change control proceedings and/or production schedules  Obtain support and authorization from Legal, Public Relations, or Corporate Security departments

Phase 4 – Product Launch

The ISAP has (hopefully) already been publicized in Phase 3. When the launch date is selected, activities in this phase include:  Distribution channels will be established as identified in Phase 2  Support processes will be enabled  Distribution schedules will be finalized  The project moves from “test” status to “QA” status

Phase 4 – Product Launch (continued) Several points to consider during the product launch:  Follow-up meetings may be scheduled (“test panels”)  Survey forms and evaluations should be provided  “Thank-you” tokens for pilot participants may be in order  Feedback to pilot participants is important!!!!

Phase 5 – Effectiveness Assessment

The implementation should now be considered in “production” status at this time, based on the following results: The ISAP should show results in tangible measurements based on Phase 1 benchmarking:  Fewer help center calls  Closer adherence to standards  Fewer incidents requiring response  Improved SLA metrics

Phase 5 – Effectiveness Assessment The ISAP should also show results in intangible measurements based on Phase 4 follow-up:  Increased employee enablement  Employee pride in ownership  Increased understanding of organizational goals  Increased productivity  Improved performance

Ongoing Enhancements

The ISAP should be evaluated at the end of every campaign (or at least quarterly) to assess impact and benefit to the organization.

Ideas for Customized Programs

Ideas for Customized Campaigns  AntiVirus  Data Classification  Business Cycle (sales, R&D)  Laptop Safety  Physical Security  Privacy  Regulatory (HIPAA, GLB, 21CFR11)

Conclusion Hopefully, you now have a fresh approach to building a security program that delivers meaning and value to the entire organization. Questions and comments are welcome at this point!