In Feb 2014, I had the opportunity to attend the RSA Security Conference in San Francisco. While attending an early morning session (thank goodness for caffeine), I heard Todd Fitzgerald's presentation on "Generations Defined By Moments" and soon became very intrigued and engaged (yes...unusual for me at an early morning session). His premise was that each generation approaches security (and life) differently because of the technology that was prevalent during their formative (teenage) years and the events that occurred to shape their view of the world.
Many security professionals believe that Security Awareness training is ineffective because of the attitude of employees — the employees just don't want to listen and/or learn. Todd's presentation made me think that it may be the Security Awareness professionals who need a little adjustment, and not the employees. Security Awareness professionals may, in fact, be alienating employees because of the technology/method used and the attitude/message conveyed in our Security Awareness program. As someone who is responsible for Security Awareness at a financial institution, this was a call to action for me. I started thinking that we need to treat our employees with the same care and consideration that we try to treat our systems:
- We don't try and patch our systems or server farms once a year and within 1 hour. But many organizations try to change employee behavior using only an annual Security Awareness training. Lesson learned: Patching humans should be an on-going activity that occurs year round. Hopefully scheduled, but sometimes reactive to current vulnerabilities or malware (Heartbleed anyone?).
- We don't try and update a mainframe using the same techniques as Java. But we do try to update employee behaviors (from Baby Boomer to Millennial) using the same Security message. Lesson learned: The diversity of our approach should reflect the diversity of our organization. Don't try and make them come to you.
Uh-oh?.this may not be the most effective approach for an organization that is truly committed to security. So what to do? I gathered what I learned from Todd, along with some information I collected from both personal and professional experiences, and created a matrix. I tried to analyze the triggers for each generation, the impact on their learning style, and the message that would get through to them. We then shared it with the community (crowd-sourcing?) to try and get additional insight from the diversity of security professionals. You can download a copy of the matrix from the Security Awareness Planning Kit.
I will be using the matrix to make sure we provide opportunities that resonate more strongly with each generation at some point during the year. Short-videos for Gen Y? Role playing games for Gen X? Appeal to protective / family concerns for Baby Boomer? Ideally, I would like to say that if a majority of our workers are Baby Boomers, then our methods and messages should reflect that. As our worker population changes, so should our messaging and method. The diversity and culture of our program should reflect the diversity and culture of our employees. My organization is just now starting to implement this, but I've heard anecdotally that we are getting through to people we were not previously reaching. Best practice research shows that we need to "touch" or remind people every 3-4 months to keep the information fresh and at the front of their minds. Let's make sure we do that with a variety of messages that will resonate across our organizations. If the common denominator of Security Awareness programs are ineffective outcomes... then let's change the playing field. If you have any suggestions on how to improve the matrix, email firstname.lastname@example.org.
BIO: Paula Fetterman has BA in Economics and Math from New College of USF and a Masters in Public Policy (MPP) from The College of William & Mary. She is currently a Vice President within Enterprise Security at a financial institution, where she manages the Security Program Management Office and is responsible for:
- Security Awareness and Phishing
- Security Risk & Vendor Assessments
- IT Security Policy Framework
- Audit, Reporting, Metrics, and Organizational Strategy
- Project Management and Support
Paula previously managed Fannie Mae's Vulnerability and Threat (VTM) team, building out the network / desktop vulnerability scanning program, coordinating the analysis and implementation of National Vulnerability Database (NVDB) alerts, and conducting application / network vulnerability assessments. She managed their gateway proxy anti-virus appliance, performing issue management of botnet infections and technology use policy violations, coordinated the removal of end-of-life hardware and software, and implemented credentialed scanning within the Enterprise. Paula also helped design, implement, and execute internal controls for logging and monitoring of privileged activities within a Sarbanes-Oxley framework to remediate OFHEO regulatory findings. Prior to Fannie Mae, Paula was a management consultant with PricewaterhouseCoopers and IBM. She worked primarily with government agencies in the DC area, including SSA, VA, and DOD on issues related to change management, data analysis, and cybersecurity. Paula received her CISSP in 2008 and Series 99 (FINRA) certification in 2012. She was selected as the 2014 keynote speaker for UMBC's Spring into Leadership program with the Center for Women in Technology (CWIT).