What We Learned During NCSAM
What a wild ride we've had this October celebrating National Security Awareness Month! We hope you've enjoyed following along with our weekly installments building the perfect security awareness program piece by piece.
Now that October and NCSAM have come to an end, it's time to wrap it all up.
Here, in five steps, is how to build a strong, sustainable security awareness program:
The best way to do reinforce your security policy through your awareness program is through relevant, timely statistics and real-life examples that are highly relevant to your employees.
Clarity. Be sure that your security policies are clear and at the forefront of your awareness program. Keep the focus on concrete, enumerated policies.
Specificity. Be as specific as you can to your business or your industry. Don't throw in information your employees won't use.
Storytelling. Statistics are great for making a point, but don't load your presentations with too many numbers. Mix in anecdotes to keep your employees engaged.
Relevance. Provide information that's also relevant outside the business context. Teach your employees how to help their kids or spouses be safe, too.
PHun When making your security awareness program PHun, it's all about getting everyone on board. Be a little corny (like renaming October Hacktober) and make sure everyone sees you buying into it. Then, they'll start to have fun and learn something along the way.
Gamification. By playing off people's natural competitive instincts, you can make security awareness something people want to do instead of something they're forced to do.
Recognition. Make time in meetings to give out certificates and prizes, and make speeches to celebrate your most security-aware employees.
Positive. While punitive measures are often employed in security training, studies have concluded that positive reinforcement lasts longer in people's minds.
PHrequent The point of frequent security awareness messages is not really to reiterate your entire security policy every time but rather to make sure you're keeping security on your employees' minds. Vary the format and content of your messages, and keep it short.
Culture. Look at how often other departments send out routine policy reminders, and aim for somewhere in the middle.
Variation. Instead of employees getting bored by receiving the same format and content over and over, they know they can look forward to something different every time you send them a message.
Resources. Provide an endless supply of resources for security-related information. Employees can choose which topics they want to dig deeper into and you build your authority as current in your field.
Brevity. Keep your messages short. Adults can only retain so much information at once. And by providing just the main points, you show employees you respect their time.
PHree swag Ideally, the purpose of good security swag isn't just to make your customers or employees happy with useful trinkets. The real benefit to security professionals is that good security swag will remind people of your security program every time they use it.
Uniqueness. There are some things we just don't need more of, like pens that don't work. Go for something unique or something common but done well.
Fun. Your customers or employees will appreciate something that makes them laugh, and they're more likely to show it to other people and tell them a story about it if there's a funny one to go with it.
Usefulness. You have to provide something that's actually useful if you want someone to use it. Office supplies over figurines any day — unless those figurines are disguised USB sticks!
Trendiness. Be careful with this one — Just think of how many branded mousepads are languishing in Goodwill right now. Don't order too many trendy items.
Exclusivity. Customers or employees are far more likely to get excited about an item if they perceive the item as rare or exclusive. By limiting supply, you increase demand.
Relevance. Go for something actually related to security so it reinforces your program specifically.
Quality. Try not to go too cheap. If you give out crappy ballpoint pens, you become the guy or company that gave out crappy pens. It's a dumb hit to take to your credibility.
PHunded Sometimes, you'll have to demonstrate a need for security awareness to get the PHunding you need, and you can get creative when making a business case for your program. You might need to write a good business case, provide some real-life worst-case examples, or even perform a pentest and include the results with your proposal.
Writing. Write a good business case. Find someone with experience writing proposals if you don't feel confident in your written communication skills.
Examples. Provide examples of worse-case scenarios. Headlines and statistics about security breaches aren't hard to come by at the moment. Pull relevant examples, like ones from your industry, your city, or similarly sized companies that use the same software as you.
Pentest. Perform a pentest before submitting a proposal. In more extreme cases when you're struggling to get attention for your program — or when trying to start a program from scratch — you might want to conduct a small penetration test before submitting a proposal. You can include your results in your business case to make a strong point.
We hope you've learned something and had as much fun as we have this October. Good luck with your program!
Like what you read? Want to get notified when I post? Subscribe to the email list.