Editor's Note:This guest blog post is from Sandra Dunn from HP. Sandra will be leading a mentor led MGT433 course in Boise, Idaho in October.
There is an interesting debate in the dark corners of Security Awareness nerdom regarding the benefits of Security Awareness Programs. The arguments go back and forth, "You can't trust your users your only choice is to lock them down!", "Lock down your users!" Slow productivity to a crawl?! You can't lock them down from every possible way they might infect your network! Finally at the end of long email discussion or a long list of comments on an article that has been written someone with a quiet voice of reason steps in and says "Doesn't it make the most sense to do both?"
As is commonly found the best answer is to find a balance between the two extremes. Those with quick minds will jump to the next big question: Is it 50% security control 50% security awareness? The right ratio answer might surprise you: every environment is unique. So now earn that title you so proudly display on your Linkedin Profile, pull out those notes from the STH 433 class, and flex those keyboard fingers. Here are ten things to think about for your Security Awareness Program
#1 Security is like quality, it is part of everyone's job
This is the most important behavior change we can help instill in people. We aren't just making noise we really do need them to contribute. We are counting on them to protect the company. Corporations are realizing that their users are their first line of defense. A continuous Security Awareness program can help to make security issues as intuitive as quality issues.
#2 Making a difference doesn't require a huge budget
A weekly email with five security tips can have an impact. The most successful security awareness program I was part of started out as a relatively small effort. I came up with the ideas for topics but then found security subject matter experts within our own company to come present.
#3 Find the passion for the people you are helping. They are your greatest asset
We've all seen examples of "security people" having some level of distain for "non-security" people. Please understand that they are putting as much passion into their role as you're putting into security. In almost all cases they absolutely want to protect the company, it's their lively hood too! They just need to put a majority of their cycles into being a good accountant, sales person, or developing the next big thing. Provide security practices that are easy to understand and easy to do and everyone will appreciate you.
#4 Believe in synergy
Synergy is the interaction of multiple elements in a system to produce an effect different from or greater than the sum of their individual effects. Imparting awareness to general users can pay big dividends in preventing security issues. Those users contribute with different perspectives and adding their area of expertise and you have new ways to see issues and solve security problems.
#5 One size does not fit all
Just like the investment in security controls vs education what and where to emphasize is different depending on the unique security risks to your company.
#6 Metrics that really measure
If your management measures success by having a high participation level in a program, so they make it mandatory for everyone, but then people go through the program by clicking the ?next' button as fast as they can without reading the content, is there any value in your metric? Use metrics to understand where the greatest risk is and then put the right resources there. Easy Metrics may not be the Right Metrics.
#7 Fail with Flames
To put together a highly successful program that your management team and the people in your company really like, you will have to be creative, bold and maybe a little crazy. And there is a slight chance that this creative, bold and a little crazy idea will fail. Don't settle for providing the same mundane easy to discount and ignore content we've all had to endure because you were a little afraid.
#8 Do your best to be consistent and clear with your message
Please please please don't warn people about url shortner's and then put a url shortned link to the slides in your webinar. This is a great article to this point. http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/The-Tricky-Game-of-Breach-Notification/ba-p/6137089#.UebboI03ttQ
#9 Don't take it personally
Remember if people didn't like something that you've put your heart and soul into, they still in almost all cases still like you. Take their feedback for what it is feedback. You just aren't going to be able please everyone (so make sure that the people you need to please are happy)
#10 Keep planning for the next event
Whether it is in the next quarter, next six months or next year grab onto as much momentum and harness the synergy for next year, and the year after that because one thing you know for sure there will be a whole new set of topics you need to discuss next year!
Sandra (Sandy) Dunn has over 20 years in the software and hardware industry. Initially starting out in Software and hardware sales she worked with NASA, JPL, Secret Service, IRS, and other Federal Agencies to determine their Server, PC, and Notebook sales. At HP she has worked as a Digital Sending & Security Analyst for HP MFP printers on the Competitive Intelligence team, an ACT Engineer for the Accreditation team for HP that certifies partner solutions with her focus being on security & regulatory, a Security Engineer on the Inkjet PSO team and has just joined the HP Cyber Security team as a Cyber Security Engagement Manager. She has a CISSP, Security +, ISTQB, SANS GSEC, GWAPT, GCPM and is a SANS Mentor. She has two children, a wonderful husband, too many horses and lives outside of Boise Idaho. Linkedin Profile www.linkedin.com/pub/sandra-dunn-cissp/10/974/472/