As all IT professionals are painfully aware, it is impossible to ignore the role of people in an organization’s information security program. Information security, like everything else, is at its core a human enterprise influenced by factors that impact the individual. During our December #SecChat, we set out to address this topic with our followers, looking to gain insight from the community and learn more about what it takes to design and implement an effective security awareness program.
We began our conversation by asking what kind of security awareness programs participants had seen implemented, and what they believed made those initiatives more or less successful. A few of the main points that many of our followers brought up revolved around the importance of thinking outside the “yearly compliance video” box – making sure security awareness education is ongoing, relevant and fun.
First, @jadedsecurity reminded us that one big problem in many organizations is that security awareness is seen as a one-off thing – there is no reinforcement. And not only is there no reinforcement or ongoing education from the IT side, all too often there is no collaboration between IT and the rest of the business. As @BrianContos brought up, it is imperative that orgs include non-IT/security employees in the crafting of policies and awareness programs in order to set the foundations for strong governance. @hrbrmstr suggested developing a quarterly plan at the beginning of the year designed to pace in-depth messaging with smaller, more frequent bits. Again, this always requires collaboration between departments to make sure that IT messages do not overlap or conflict with any standard, all-hands business messaging.
The next big point of our conversation was that organizations need to do a better job at helping employees see the relevance of cybersecurity to their everyday lives – answering the question, “What’s in it for me?” Many of our participants cited this as one of the most critical angles of a security education program. As @lewisnic explained, you need to hook users and get them interested in the topic by explaining how they can affect their personal security (like online banking, phone, etc.) and then translate that to how it applies to the business. @msarrel brought up that a couple of ways to make enterprise security more “real” to users is to give concrete examples and demonstrations of what you have seen in your environment, or to tie in big-news events with internal analysis and personal advice.
Finally, nearly all of our participants agreed that one of the top priorities in any security awareness program should be to make the content engaging, interactive and fun. @grap3_ap3 suggested holding contests to encourage positive behavior, and rewarding employees who bring security issues to light. In an effort to make learning more engaging, @hrbrmstr’s organization actually created Flash games for topics like data classification, and hosts their policy and standards education class as a game of Jeopardy (winners are rewarded with a gift card). One of @djbphaedrus’ clients identified 5 new legitimate security issues with this gamification approach, “employees were thrilled, and awareness increased.” @451wendy also touched upon the importance of reinforcement through reward – public praise, compliments to the employee’s supervisor, or of course, the ubiquitous power of food.
As we approached the end of our hour, we asked our contributors if they had any lasting words of wisdom for those looking to start an awareness program. There was one important message voiced by a number of our participants that I think is summed up best in the words of @grecs: “Getting people to “get it” is sorta like raising kids. Kids learn their lessons in different ways.” Organizations can’t be afraid of reaching out and trying different techniques that may not be familiar. In turn, don’t be afraid to change your approach as time goes on and to tailor your program to your org’s individual culture, personality, and evolving security needs. Above all, be enthusiastic, and remember that awareness is an ongoing process. As @451wendy pointed out, security awareness should be seen as an ongoing dialogue, not a one-time lecture.
Thanks to everyone who joined in and helped to make our December #SecChat such a success. Stay tuned here in the blog and on Twitter at @IntelSec_Biz for next month’s topic, as well as regular updates on McAfee news and events.