Security Awareness Blog

Why Organizations Secure The Human

When working with organizations on security awareness and education, one of the first things I like to start with is asking 'why', what is their motivation? The motivations for deploying an awareness program often has a large impact on how it is designed, implemented and supported. It often determines the priorities of the topics, budget, who will be in charge of the program, who is the target of the program, etc. As such, you want to pay careful attention to the reasons of 'why'. To help you get started, these are the four most common motivations I have see.



  • Compliance: I always shudder a bit when organizations state this is their primary motivation. If all an organization wants is the ability to check a box (be it for a PCI DSS audit, ISO 72001 review, etc) then I am concerned their goal is the minimum standard and invest the absolute minimum resources. This is often nothing more then some type of boring online training consisting of nothing more then power point slides. In addition the content is often poorly organized and out of date. For compliance purposes, organizations are more concerned that all possible topics are covered, and less concerned about prioritizing topics and communicating them effectively. Unfortunately it is awareness programs like these that have given awareness, and the concept of securing the human, a bad name. The problem is compliance is often the only way a security team can get management buy in or a budget. If compliance is the only way you can get management support, be sure you do not fall into the 'compliance trap' when planning your program.

  • Clients / Partners: Sometimes an organization is not required or regulated by their industry to have security awareness and education, but their clients or partners do. For example law firms. Law firms bring on a variety of different clients that have different types of data and different regulations. For example if they are working on a health care related case, they may be using patient data which falls under HIPAA. If they are dealing with financial clients or processing merchants, they may be dealing with PCI DSS related data. As a result, the clients will require the law firms to have security awareness and education, as per their regulations. These situations can be more challenging as a variety of different needs must be met.

  • Incident: As is often the case in security, it takes an incident to get the attention (and support) of management. Security awareness is no different. I worked with one client where awareness was a major issue after a password incident, specifically employees were sharing their passwords with supervisors. As a result of incidents, an awareness campaign was implemented with one of the key focuses on proper password use. The value add to a situation like this is management's focus is on awareness and education that makes a difference, not just check the box. If you find yourself in this situation, make sure you take advantage of it, but implement a comprehensive program that applys to the risks with most value.

  • Mitigating Risk: This is best case scenario. This is when an organization understand's the risks of the human and wants to implement a comprehensive solution that makes a difference. Just as an organization would budget for, plan and deploy any other security solutions (encryption, patch management, single sign on, etc) they budget, plan for and deploy a comprehensive awareness solution with the goal of reducing risk. For me these are the most exciting programs, and usually the most challenging!

Do you see a common motivator for awareness programs missing? Let me know!


2 Comments

Posted May 24, 2010 at 8:03 PM | Permalink | Reply

Gary Hinson

Other reasons include:
''" The auditors told us we need one
''" Our peers/competitors have one and it looks neat!
''" Some consultants advised us to get one, and offered to sell us one they made earlier
''" Our infosec people said we need one
''" Our HR/training people said we need one
''" How else are we to tell them about our policies?
''" Our employees have a mental age around 7 and like whizzy cartoon graphics
''" We had some blank spaces on our walls and wanted some bright, motivational posters (about 5 years ago)
''" Someone went to a security conference and had a bright idea
''" Someone read about them in the in-flight magazine
''" We have a awareness program for health & safety, so it seemed a logical extension
''" My predecessor started it and I kinda keep it going
''" Our vendors gave one away with their very expensive LMS, so we feel compelled to give it a go
''" We've done all there is to do in the way of technical security fixes, but security is still broken
''" We read your blog, Lance
Rgds, Gary

Posted May 25, 2010 at 4:43 PM | Permalink | Reply

lspitzner

Gary is on a tear! Actually some of these are quite good, I hope you don't mind but I would like to add them to my list. Thanks Gary!
lance