MGT433: Securing The Human: How to Build, Maintain and Measure a High-Impact Awareness Program
- Laptop Not Needed
Organizations have invested a tremendous amount of money and resources into securing technology, but little if anything into securing their employees and staff. As a result, people, not technology, have become their weakest link in cybersecurity. The simplest way for cyber attackers to hack into your organization is to target your employees. Unless, of course, you take the steps necessary to stop them. The most effective way to secure the human element is to establish a high-impact security awareness program that goes beyond just compliance and changes behaviors. This intense two-day course will teach you the key concepts and skills needed to build, maintain and measure just such a program. All course content is based on lessons learned from hundreds of security awareness programs from around the world. You will learn not only from your instructor, but from extensive interaction with your peers, as well. Finally, through a series of labs and exercises, you will develop your own custom security awareness plan that you can implement as soon as you return to your organization.
You Will Learn:
- The Security Awareness Maturity Model and how to use it as the roadmap for your awareness program.
- How to effectively engage and communicate within your organization.
- How to identify and mitigate the top human risks to your organization.
- How to sustain your security awareness program over the long term, including updating content and communication methods and, ultimately, changing your organization's culture.
- How to measure the impact of your awareness program, track reduction in human risk, and communicate the value of such a program to management.
| MGT433.1: Planning and Building
||Lance Spitzner ||
Wed Feb 25th, 2015
9:00 AM - 5:00 PM
- The five stages of the Security Awareness Maturity Model.
- The elements of risk and their role in awareness.
- Learning why humans are so vulnerable and how cyber attackers exploit these vulnerabilities.
- The learning continuum: awareness, training and education.
- Steps to gain management support and a budget.
- Beginning the planning phase with a project charter.
- Developing a steering committee/advisory board.
- Answering the three key questions during the planning phase: who, what and how.
- Who: Identifying the different targets of your awareness program. Whose behaviors do you want to change?
- What: Identifying and prioritizing the topics that will have both the greatest impact on your organization and ensure you are compliant. This includes conducting a human risk analysis step-by-step and identifying the top ten key human risks to your organization, then creating a learning objectives document for each topic.
| MGT433.2: Implement and Maintain
||Lance Spitzner ||
Thu Feb 26th, 2015
9:00 AM - 5:00 PM
- How: How will you deploy your program. This includes understanding the cultures within your organization and how to successfully engage people.
- The effective use of imagery, to include imagery within diverse or international environments.
- Top tips for effective translations.
- The two different communication methods: primary and reinforcement and the advantages/disadvantages of each.
- How to effectively present and communicate in person.
- How to effectively communicate using Computer-Based Training (CBT) or eLearning, including use of a Learning Management System (LMS).
- Different reinforcement methods, including newsletters, posters, blogs and podcasts, and the different advantages/disadvantages of each.
- The two key requirements to updating and improving your program.
- Designing, deploying and using metrics to measure the impact of your awareness program, including how to effectively run phishing assessments.
- Walking through the final planning and execution steps, to include documenting a comprehensive project plan.
| Who Should Attend
- Security awareness officers.
- Chief Security Officers and security management officials.
- Security auditors, and governance and compliance officers.
- Training, human resources and communications staff.
- Representatives from organizations regulated by industries such as HIPAA, FISMA, FERPA, PCI-DSS, ISO/IEC 27001 SOX, NERC, or any other compliance-driven standard.
- Anyone involved in planning, deploying or maintaining a security awareness program.
| What You Will Receive
- Course books that include printed slides and detailed notes for each slide.
- Course lab book.
- USB stick with a digital copy of all the labs and the Security Awareness Planning Kit.
| You Will Be Able To
- Identify the maturity level of your existing awareness program and decide where to take it next.
- Explain the difference between awareness, education and training.
- Explain the three different variables of risk and how they apply to human risk and security awareness training.
- Explain why people are vulnerable and how cyber attackers exploit these vulnerabilities.
- Create a Project Charter and gain management's support for your security awareness program.
- Identify the different targets of your awareness program.
- Characterize the culture of your organization and determine the most effective communication methods for that culture.
- Identify, measure and prioritize your human risks.
- Design and implement key metrics to measure the impact of your awareness program.
- Create an effective phishing assessment program.
| Press & Reviews
"The' Who' and 'What' of training and awareness is just what I needed to take back home." - David Nix, Department of Energy
"Soup to nuts, this class covers the entire designing, building, deploying and measuring of an effective security awareness program." - Chris Sorensen - GE Capital
"MGT433 gives great view on how to build a full security program." - Eman Al Awadhi, TRA