Editor's Note: Judith Forrest leads the information security awareness program at SAP. She is one of the speakers for the upcoming US Security Awareness Summit in Philadelphia August 19. Below she discusses her talk on branding and what you will learn from it.
The central theme of the SANS "Securing the Human" approach is that the human being needs to be treated as another operating system in the IT realm, an operating system whose vulnerabilities must be addressed. The central mission of security awareness professionals is to address these vulnerabilities by incentivizing individuals to analyse and modify their own behavior.
We share and discuss a plethora of ideas and tools for modifying behaviour, including standard training methods, intranet portals, gamification, prizes, humor, security messages in blogs, posters, coasters, stickers, videos, and a multitude of fabulous creative approaches we dream up. But at the heart of every security campaign, every security message, and even every security awareness professional, as an individual, there should be a brand. The unifying brand needs to be apparent despite the multitude of communication tools and approaches that we may ultimately try out, in our attempt to gain support and modify behavior.
Why it is important
Branding security is about shaping how security is perceived by others at the company. When co-workers think of your security program, do they associate it with compliance, or policies, or safety, or risk, or team-building, or fear, or fun? What are some other associations which come to mind about your program? This talk offers the following take-aways to shape how your security program is perceived by others at your organization:
- You will learn to assess the way you and your program are currently perceived — in other words, how others perceive your "brand."
- You will learn how to reflect upon and design the brand which will serve as the foundation of your security persona, messages, and program.
- You will learn the importance of discovering whether your own security brand is aligned with management's vision of the company's brand — and how to use that knowledge.
Bio: Judy Forrest is a Senior Information Security Specialist in SAP IT, based in Dublin, California. She brings three distinct areas of expertise to her development of security awareness training and programs. She is a subject matter expert in IT, where she was a database / e-commerce programmer and project manager for 10 years. Judy's instructional design experience hearkens from her years in Sybase's education department, both as classroom instructor and as courseware developer for Sybase database programming products. More recently Judy was the IT Compliance Manager at Sybase, until Sybase was acquired by SAP, where she has made security awareness training and initiatives part of her new role. Many security professionals have a strong technical background, but lack some of the "softer" skills like marketing, teaching, and communications. Judy says "I feel fortunate to have both a technical background, and a humanist background which has fostered the softer skills. I love the field of information security, which enables me to leverage both!"