Security Awareness Blog

My Security Awareness Communications Plan

PlanningSpreadsheet Editor's Note: This is a Guest Blog post from Rhonda Kelly, the Security Education and Awareness Architect at Oshkosh Corporation. In this blog post Rhonda discusses an amazing planning tool she developed for her awareness program and one that you can use for your own.

Security Awareness Communication Plan Roadmap

As I began to implement a Security Education and Awareness program at Oshkosh Corporation, I had a number of communications, phishing campaigns, and reports to track and send. It was necessary to devise a tool to visualize our plan, track the various communications, the timing, and which vehicle we are using to communicate. In addition, the requirement of the tool was to share with management that the program had vision and a focused plan. I needed a Communication Plan Roadmap. You can download a copy of the Communication Plan Roadmap here.

What is the Communication Plan Roadmap?

The Oshkosh Security Awareness Roadmap is a detailed, color coded, spreadsheet which provides a high level view of a security awareness program by week, by month, over a year time frame. This plan allocates specific events or valuable milestones which are key components to communicate to leadership and internal allies. This roadmap is an overview of Security Awareness Comm events such as newsletters, phishing campaigns, special security projects, security metrics, educational video launch dates, newsfeed communications and key company events all documented in one convenient year overview.

How do we use it at Oshkosh Corp?

At Oshkosh Corporation we use this roadmap in various manners, such as ensuring we meet deadlines, report due dates, leadership awareness of communications, and an overall view of a Security Awareness communication plan for a year. This gives our communication partners an opportunity to visualize the work being done to create security awareness around the organization to reduce our security risk. We use a number of vehicles to deliver our messages, we needed a roadmap to track when and where those vehicles are to be delivered and ensure there was reasonable distribution of the message throughout the year.

How could you translate this for your own use?

Depending on your staff to employee ratio, as well as the number of communication vehicles available to you, this can be used as a starting point for a road map as you trailblazer your own path. Laying out where you are today, map your current state, overlay where you would like to be in the next quarter, proceeding to map over a year timeframe, building your own communication road map to success. As you begin to prepare a roadmap, be flexible to make a few adjustments, if your plan is too aggressive, the end result may mean that you miss a few deadlines. You may also find tasks are repeatable, and they need to be for employees to start to change behavior. By giving your Security Awareness plan visibility to the right staff members it not only mesmerizes them, but, they are in amazement that you have a well-planned out roadmap to implement Security Awareness which in turn will create a cultural and behavioral change for your organization.

Lessons learned:

  • Have flexibility for the unknowns
  • Communicate your plan with others and create partnerships within the organization
  • Remember you are trailblazing on unknown territory
  • Give yourself adequate timelines
  • Be courteous of other company events
  • Having a plan/roadmap shows you have thought through your program, you have a vision
  • Have fun, if you are having fun your team mates are having fun

Bio: Rhonda Kelly currently holds the Security Education and Awareness Architect position at Oshkosh Corporation. Rhonda's sole responsibility is to design, build and implement the Security Education and Awareness program for ~10,000 employees, world-wide, including translating materials into 10 languages. Her educational background is business management, with an emphasis on marketing and communications. She has built her Information Security technology experience through SANS Security Leadership Essentials for Managers, Securing the Human, Advanced Practical Social Engineering courses and hands on training. She continues to attend various training sessions to advance the awareness program at Oshkosh Corp. She is currently focusing on role based training both domestically and internationally.

2 Comments

Posted February 9, 2015 at 8:59 PM | Permalink | Reply

Yohanes Dedeo

How do you measure the effectiveness of the security program? Based on your experience, what is the best way to measure the effectiveness of security awareness program? Is it possible to quantify the effectiveness of the program?

Posted February 10, 2015 at 6:41 PM | Permalink | Reply

lspitzner

Yohanes, good question. Absolutely, you can measure your awareness program. The first step though is defining what you want to measure. If compliance is a goal, they you have to define what standards you want to be compliant to and what is required to be compliant (for example PCIDSS has specific requirements for awareness programs). If your goal is reducing human risk, you have to first identify the top human risks to your organization. That is why phishing is such a common metric, it is a human risk most organizations care about. For resources on measuring risk, check out http://www.securingthehuman.org/resources/metrics