Security awareness has gone through immense changes in the past two years. It has quickly grown from a compliance driven, once a year dreaded event to an engaging solution focused on changing behaviors. Here are the top three indicators a program is truly a 'next generation' awareness program.
1. Behavior: The biggest indicator is the organization's goal. If they are focusing on just compliance, if their program is nothing more than a once a year power point presentation, you have an 'old school' program. It will never have an impact because it was never designed to. Next generation awareness programs are focused from the ground up to change behavior. The organization has done a human risk analysis, identified the top human risks to their organization, and is attempting to change behaviors to reduce those risks. Instead of reaching out to people once a year, the program is actively, continuously reaching out to people.
2. Engagement: Old school awareness programs focused on how the organization benefited, how you must or must not do things to protect the company. Next generation programs focus on individuals, how people personally benefit. The vast majority of secure behaviors apply to both work and home, so organizations are focusing on personal lives. A metric to determine if you have an engaging awareness program is if employees are asking how their family or friends can take the training.
3. Detection/Response: When people think awareness they think prevention, the Human Firewall. Next generation awareness programs go beyond just prevention and also include human detection and response, the Human Sensor. We can't prevent all human based attacks all the time, but if there is an incident and people do fall victim they can still mitigate the risk by quickly identifying and reporting it.
What are some of the most exciting changes you are seeing with next generation awareness programs?