Any security awareness program goes through stages

Posted on August 6, 2019 by
facebooktwittergoogle_plusredditpinterestlinkedin

These are notes from one of the presentations at Toastmasters.

Stages

1. Determine where you are at.

If you are on your own. Security awareness is going to be very difficult for you.

You need executive support

One of the industry leaders is SAMS. They just surveyed a bunch of people in security awareness and asked them where they were at. The response was that if you are going to be successful, you are going to need 2.5 full-time employees.

2. Compliance.

Most of the time we have to do security awareness, the reason is that there are a plethora of regulations that require that you train your employees on cybersecurity. You have to determine which regulatory requirements apply to your industry. For example, Paige works in healthcare and she has a HIPPA requirement. She advises that you do a google search and finds regulatory requirements for your industry. She got a list of every requirement she could find. She wasn’t really aware if her company was going to be beholden to the regulations. They often have to give students training because they give them an email. You can require everyone in your organization to participate in it.

3. Build a culture of security awareness.

Her company had just barely ventured into a culture of cybersecurity. That’s where Paige came in. Once her boss got permission to hire her, she began building a culture of security awareness. She couldn’t show her healthcare co-workers scary imagery or messages because they focus on helping people get better. How do you do that? She came up with a culture. She is also a Zero-Harm trainer. This is a great tool because the employees already know about it. Cybersecurity is just another layer on top of it. She came up with a light-hearted company slogan, “Be smarter than the average bear, be cyber aware”. Her company uses STAR to look out for phishing.

She thought she was almost out of time. Actually had three minutes.

You can find help by listening for people that are already interested in cybersecurity. You can use them as your ambassadors. She then asks them for their help.

4. Long-term Sustainability.

She incorporates games, contests, lunch-and-learns with speakers. She uses newsletters and gives them incentives to keep it going. She has ambassadors in different places and gives them autonomy. If you do get a phishing email, try to encourage your employees, so that they feel it is okay to contact us with the email. Just like a doctor can’t tell you what is wrong if you don’t tell him all of the symptoms

5. Have a metric.

Have a baseline from where you can measure. If you have all of these things, you will have a successful cybersecurity education program.

6. You can’t expect to get there overnight.

Show numbers and metrics. Executives like to know that their money is being spent wisely. If you do these things you will have a successful program. It could take 3-5 years but stick with it. You will eventually get there.

Have something to add? If so please provide feedback in the comment section of this blog.

About Melva Gifford

Melva is an author and storyteller.
This entry was posted in The Things I've Recently Learned. Bookmark the permalink.

Comments are closed.