In this series of posts we have been discussing the different maturity levels of security awareness training. We started discussing the first two levels, having no awareness program and having a compliance focused awareness program, designed to meet only the minimal requirements. Then we covered promoting awareness and change. Today we will cover the next level - long term sustainment.
Long term sustainment builds on an existing program that is promoting awareness and change. It adds the processes and resources in place for a long-term life cycle, including at a minimum an annual review and update of both training content and communication methods. As a result the program becomes an established part of the organization's culture and is always current and engaging.
Often I see organizations plan and budget their security awareness program only for a year. After the first year the program often withers and dies. You would not actively patch your computers for a year, then after that say "Okay, we are done, no more patching". System security would quickly degrade. Awareness is no different. Be sure you have the budget and stakeholder support for the long term. Also your program must be routinely updated. Technology, standards, business requirements and bad guys are constantly adapting and changing, so to should your awareness program. Not only does this ensure you have the most effective content possible, but with active updating you keep your awareness program fresh and engaging.