Habitu8's Complete Security Awareness Program Plan & Strategy Guide
The purpose of this guide is to provide actionable guidance and strategy for establishing and maturing your security awareness program. This guide is based on real-life experience from the experts who created the security awareness programs for The Walt Disney Company, Sony Pictures Entertainment, Activision Blizzard, and more.
*Security Awareness is a universal term for the sake of this guide. There are many ways to refer to it that we've seen ranging from Security Education, Trust, and Culture to highlight a few. Pick one that feels right within your company culture.
Security awareness is a highly important function and will have by default, high visibility & impact across the company. This is one of very few programs within organizations that interacts with end users on a consistent basis, and should be supported as such.
Your security awareness program goals and initiatives will quickly become obvious to your end users. Programs unable to connect with the unique culture of the company will fail quickly. This is security marketing. We're trying to do the same thing as consumer brands, influence user's decision making process in a way that benefits the advertiser. We're doing it to get users to make better security decisions. Makes sense, right?
SECURITY MARKETING: The use of marketing techniques within security awareness to create behavior change.
It will be crucial to the success of your program to establish a series of agreed upon goals and initiatives that have been approved by a small, internal committee. We've outlined goals we feel have the greatest impact and have been successful across multiple unique organizations and are proven to be highly effective.
First you'll want to know what the point of your program is and being able to state this clearly and simply will come in handy over time, trust us. Here is a soft example of what we suggest:
Program Mission Statement
The goal of the Security Awareness Program (or whatever you call yourself) is to change behavior. In order to change behavior and: (choose one which feels right for your company)
- nurture a culture of security, or
- communicate the correct security behavior, or
- create a secure-minded workforce, or
- not land on the front page of the news, or
- strengthen the human element of security risk, etc.
…the Security Awareness Program will address identifying bad/risky habits and replacing them with preferred/secure habits. This is a long-term, custom program designed to meet compliance and legal requirements as well as change behaviors.
Great! Now that we have stated the mission of the program, what you'll want to do next is highlight the key roles within the program. Roles, titles, and responsibilities around a security awareness program are going to be very different from company to company.
The majority of efforts are focused on engaging with employees in some form or another, whether it is mass communications, required training, phishing training, or local events. A company that recognizes this early will be able to build that culture of security with less resistance. For your consideration:
MANAGER, SECURITY AWARENESS
Ideally, the Security Awareness Program should be managed by a dedicated resource, focused on building and maturing the role and initiatives of the program. This should be a senior level management role, or equivalent, within the information security or risk teams.
Historically, successful roles similar to this pull from the creative/right brain world, likely from a marketing/advertising background.
Establish a resource with soft people skills, high emotional intelligence, and a powerful communicator. You likely have enough technical resources and SME’s for this role to learn the technical threats and risk knowledge from, however creativity and effective communication can be harder to teach.
It will be critical that senior leadership across all stakeholder departments acknowledge the importance of the role and provide appropriate support. When possible, this security awareness manager should have a direct line of communication with the most senior information security leadership, likely the CISO, CTO, CIO, etc.
The CISO should be a clear champion of the program, role, and values of the program. The CISO can provide input and guidance regarding executive board concerns/fears, supporting conversations whenever possible, and representing the goals of the program to senior leadership.
The CISO should work to gain the buy-in of the executive board and provide top-down, unified support for the security awareness program.
Corporate Communications | The ongoing Relationship
All mass communications should be coordinated and approved by your communications department. This includes messages to large groups, company-wide distributions, and any content being delivered to “all company”.
Bringing your corp comms teams into the process early will help foster a positive working relationship. One that we see time and again is often...complicated at best. Including these teams early will help to establish (or rebuild) trust.
Do you know how companies get big things to happen internally? They have planning committees, and steering committees, and board members. The purpose of these groups is to help establish the goals of a program and make sure every stakeholder is represented, which ensures the success of the program.
We know these are powerful tools, so we suggest establishing one up front. It doesn't need to be excessive, but when created with purpose it will prove to be a key success factor for your security awareness program.
The advisory board should consist of various members from the InfoSec department as well as some key stakeholders from other departments.
The role of the advisory board is to assist the security awareness manager with planning, executing, and maintaining a successful and engaging program. Committee members for consideration:
- InfoSec stakeholders (IR, vulnerability management, governance, privacy)
- IT (email, architecture, helpdesk, etc.)
- Corp Comm
With this motley crew on board...GET IT??...your security awareness program plan objectives can now begin to identify your key users/roles across the company that make up your learners. It's good to know who makes up your environment, so you can provide knowledge appropriately. Good security awareness policy doesn't need to be too complicated and can be high-level. Consider these:
Who to Train
Try to identify specific types of roles/users who, in addition to receiving required training, may require a special version of training, delivery method, or specific topics. Typically, we find these types of users:
These employees are not limited by external contractual regulations (contractors/consultants) and would typically receive compensation benefits and payment directly from the company, and must complete compliance related trainings per policy.
To establish a baseline of knowledge/behavior expectation across the company. This helps address the most common risks in our organization, giving us the quickest compliance completion. This is as close to “check-the-box” compliance as we can get.
Annual required training (CBT, in-person, etc.), phishing training, new-hire orientation
Security policy highlights, data classification, acceptable use policy, what is an incident & how to report, regulatory requirements (PCI, SOX, HIPAA, etc.),
+ UNIQUE REQUIREMENTS
We provide compliance training in all required languages mandated by HR.
Any user (FTE, contractor, consultant) with privileged or elevated access to any IT resources. Common examples include system administrators, database admins, developers, helpdesk, and network engineers.
These users require technical training based on their role, and should acknowledge the power and associated risk of their access. Non-FTE must provide confirmation of training completion from source company prior to access to network.
Live training, course certification, online, CBT, onboarding requirements
Password practices & management, SDLC, role/industry appropriate
+ UNIQUE REQUIREMENTS
We need to involve an ambassador from each technical group for the development and delivery of the more technical, specialized security training.
C-level Executives & Their Support Staff
C-level executive roles and their support staff (admin team, assistants) represent very unique risk and are connected at the hip. Often times executive level access is delegated to support staff. Training both roles uniquely provides significant value.
These individuals represent a high risk to company due to daily access to highly sensitive information, international travel, and difficulty in reaching.
Live, in-person sessions with a custom (white-glove) feel.
Curated for specific behaviors/concerns of both the role/company culture/job requirements. Travel security, information protection (visas, calendar management), password & account management (no delegation of passwords), social engineering, social media security.
+ UNIQUE REQUIREMENTS
Most likely require in-person, custom training. We want to leverage the assistants to help train and guide their bosses. The assistants would be the first to receive training, as they usually provide clear insight into the habits and behaviors of their bosses.
Contractors & Temp Staff
Resources (external, non-FTE) working within the network, with access to the same data as employees. Some may be assigned company email addresses, others may be provisioned segmented network access.
These groups represent a high risk to company due limitation of training from contractual agreements. Often times these users have elevated or privileged network access as FTEs, yet are not mandated by the same training requirements due to legal contractual limitations. These users should be treated exactly the same from a risk perspective and should receive appropriate training based on role/access.
Onboarding process, CBT, and continual annual verification of knowledge & certifications via the sourcing vendor.
Password practices & management, SDLC, role/industry appropriate
+ UNIQUE REQUIREMENTS
Most likely require custom training, via onboarding methods. Legal should provide guidance on limitations regarding training external resources, but have a definitive support for providing training in some way, written into contracts.
Now that you've identified who you need to train, figuring out what you need to train them on becomes slightly easier. This usually includes the top 10 usual suspects, but should also include topics specific to your culture and roles.
What to Train
Focus on a small number of topics & behaviors that represent the greatest risk to your organization. Identify these risks by meeting with Infosec senior leadership, looking at past incidents caused by employees and reviewing industry reports, including the Verizon Database Incident Report (DBIR). In addition, several topics may be required for compliance or regulatory requirements. Traditional cyber security awareness training includes:
- Social Media Privacy
- Working Remote
- Wi-Fi Security
- Online Security
- Social Engineering
- Mobile Devices
So it's starting to take shape, right? Knowing who you want to train, and on what, you can now pinpoint how you want to deliver the goods. Part of solid strategy is considering your information security communication plan and how it will cohabitate with the other goals.
How to Train
You want to engage people. If users are not listening or are not motivated to change behaviors, your program will fail. The first step is to engage your audience. You can engage on two levels:
The company culture. You can develop a plan and approach in conjunction with senior management and corporate communications that reflects a top down, full support of the security awareness program initiatives and goals.
Work directly with senior leadership & corporate communications to identify opportunities to strengthen the support for security awareness and secure behaviors and habits. (Think all-hands meetings, CEO involvement, etc.)
Emphasizing that people have lives outside of work and are also subjected to the same types of risks is a great way to engage users. The intent will be to empower users with the ability to make smart, security-driven decisions in their personal lives that nurture secure habits; along with the tools and resources to maintain secure behaviors at work.
Giving them ways to protect their family is always big win.
It is likely you will have a few types of trainings you need to deliver. This is good. Identifying those and putting circles around them will be helpful as your program plan begins to take shape and you start considering maturity and phases. Here are types of trainings we've seen included in successful programs:
Annual Compliance Training
The primary required, annual training. This is often done as a CBT/video training online. The goal of the annual training is to both set the baseline training for our organization and ensure we are compliant. Whenever possible, it is extremely important to have HR assume operational control of online awareness training completion (assuming there is an LMS) and enforce the policy.
You should conduct phishing training simulations throughout the year. Users receive simulated phishing emails. Those that respond, receive on-the-spot training. This may include implementing some type of “report” button within Outlook/email platform to ensure proper and simple reporting.
Cyber Security 101
This is a live training course and is designed to cover the basics of cyber security, and is intended to provide useful tips & tricks for users to adopt in their personal lives. Departmental and role specific trainings are great ways to utilize this training method.
New Hire & Contractors
All new employees and contractors should be required to complete the online security awareness-training course within 21 days of the issuance of their organizational e-mail account (or prior to that if possible).
Major Awareness Initiatives
You can reinforce key behaviors through multiple methods throughout the year. These methods also help reach the different sub-cultures throughout the organization. These initiatives consist of the following:
Cyber Security Ambassadors
This group of volunteer employees will act as liaisons within their local corporate environments/departments/Opco’s. Similar to floor wardens for fire evacuation plans, the goal will be to empower already security-minded users with tools & resources to spread the awareness efforts of the company security awareness program.
Executive Assistant Network
This group will consist primarily of executive assistants to senior level executives. Similar to ambassadors, this group will help disseminate crucial InfoSec news & information directly into your users’ inboxes, from a familiar & trusted source.
This process engages senior management throughout your company to discuss candidly any security concerns/needs unique to their footprint. Results from these discussions will help guide you to awareness of unknown security risks & behaviors. This is a super powerful assessment of your current environment as it gives you materials and ways to focus on reinforcement and potential training module candidates.
National Cyber Security Awareness Month (NCSAM)
October is recognized as cyber security awareness month (now globally). This is an opportunity to truly connect and engage with our users for the entire month. Learning sessions, online scavenger hunts, external speakers, and a keynote event typically highlight events occurring during this month.
If you really feel the need to do a newsletter of some type, send out a quarterly newsletter to InfoSec and/or senior leadership. Topics focus on current strategies, results from initiatives, and projects on the horizon. (depending on culture, these may not be effective). Please note, these should not be for general user audience. Because they don't read them. They don't. We promise.
You will need to measure how you are effectively educating users and changing their behaviors. We recommend the following methods to measure the security awareness & training program.
Annual training metrics
Think of this as your completion rates of how many users completed the training across the company. This can also include regulatory requirements as well.
Lots of metrics within the phishing training program. One thing to be careful is to not allow the phishing metrics to be the core metric for the program. It is but one of many important reporting numbers representing an overall effort of the program.
Live trainings will be unique and can provide interesting windows into your culture. Keeping track of number of trainings delivered, number of unique teams, number of attendees, etc. can show value.
An effective security awareness programs creates enough relevant data directly to the IR teams to enable those teams to become efficient. Tracking efficiency can be a powerful value add for senior leadership. A favorite is showing reduced time to respond to phishing threats (because users are reporting).
views of videos/training
Videos are an extremely powerful resource if done correctly. These are also one of the hardest to justify because much like a commercial, it isn't always easy to connect it with an immediate action. Views, time spent viewing, shares, likes, etc. can all be powerful metrics for these resources.
National Cyber Security Awareness Month is a behemoth. When planned ahead of time and with intention, NCSAM can provide you tons of great metrics - things like hours spent learning, events attended, participants in contests, etc.
We will send out an annual (and anonymous) security awareness survey to measure people’s understanding of organizational policies and measure their beliefs and attitudes toward information security.
Repeat Responder: An end user who has responded to three or more phishing simulations within a 6-12 month rolling window.
Statistics support the learning curve happen between the third and fourth training email. Identifying users prior to this window doesn't allow the phishing training to actually take effect.
We run phishing assessments to test users’ ability to detect and avoid falling victim to social engineering attacks.
**We highly suggest not referring to your users as "repeat offenders", but instead to refer to them as "repeat responders".
What's really beautiful about implementing a strategy like this, is that you can actually map out your year one, two, and three. You can show your leadership how you'll mature the program, and when you foresee major projects kicking off.
Key Dates and Milestones
Keep it simple for this. We've seen programs attempt to plan out every week of the year. You can't do that - its like trying to foresee into the future and plan around it.
It's great to set up 2-4 large, attainable projects for year one. If your program is brand new, or under 1-2 years old - we would suggest focusing on:
- Annual training
- New hire training
- phishing training
These are big big projects that could potentially involved multiple departments to be successful. You can't do these and also be writing new blog posts and newsletters every 2-3 weeks.
So, plan big and keep the goals simple.
Year two you can highlight maturing year one goals, and add one or two new programs - like ambassadors and live training, or even role-based training efforts.
You can forecast and show how your program matures each year, and that, my friends, is executive team gold.
We have taken all of this amazing information you just blazed through and created a clean, editable word document for your ease of use. Interested? Hit us up at firstname.lastname@example.org to get a copy, maybe we can even help you strategize.
If you have found this guide to be helpful, we would love it if you would be willing to share it on LinkedIn or Twitter (you can link to it using this URL: www.habitu8.io/security-awareness-program-plan/