As I discussed in my last blog posting, we at SANS our going through our bi-annual update on security awareness training, specifically updating our awareness content. One of the key new modules we are developing is just for senior management. While it would be great for senior management to go through all the in-depth training as their employees, unfortunately reality dictates otherwise. Senior management is extremely limited on time, getting them to sit through an hour of training may simply not be an option. However if you can condense that key training to say five or ten minutes, this is far better then nothing. In addition, there are some key topics that you will find unique to senior management. As such, we created a new training module specifically for them. Key points include
- Target: Senior management is a high priority target, including APT (Advanced Persistent Threats). This means management needs to understand this and the impact it has on their actions. You need to be sure they understand what spear phishing is, how it works and how to detect it. Also you need to be sure they know how to report possible attacks and make them feel comfortable doing it. Management also needs to limit personal information they share on social networking sites such as Facebook or LinkedIn. The more information they make public, the more of a target they make themselves.
- Policies: Management needs to set the example by understanding and following policy. They should never be found bad mouthing or contradicting policy. For example, management should never ask an employee for their login and password.
- Travel: Senior management often travel more then employees, and with far more sensitive information. They need to understand the risks of mobile devices and hostile public networks. For example, they need to ensure everything they travel with is encrypted and they do not use public computers (can you say hotel lobby computer) for any work related activities.
- Data: The data senior management works with is often highly sensitive, you need to reinforce any data protection policies you have, such as never using public email accounts (Gmail, Yahoo, Hotmail) for work related activities. They must also be very sensitive about what they share, especially with people outside the organization.
Do you have a special program for your managers? What topics am I missing, what should be added or changed?