NOTE: This post is the first in a series on building mature awareness programs and ultimately embedding a strong security culture. For this post we define what is the purpose of an Awareness Program, why should organizations care?
Far too often Security Awareness is perceived as the entertainment business. Ask a security professional what their security awareness team does and they often say something like “Oh, those are the people who make posters and cat memes”. This is typical of new or immature security awareness programs which are focusing on how to effectively engage their workforce. Engagement is important, but there is much more. Reach out to an organization running a mature awareness program and you are likely to get a very different answer from their security team, “The awareness team is key to helping us simplify security for our workforce and effectively manage our human cyber risk”.
Cybersecurity is no longer just about technology, it’s also about people, especially as people represent not only one of the top risks to organizations, but one of the fastest growing. Security awareness is part of, and an extension of the security team to enable organizations to effectively manage and measure that risk.
Think about it from this perspective: Security teams often have different specialties to help manage different elements of risk, such Vulnerability Management, EndPoint Security, Security Operations Centers or Incident Response teams. Security Awareness is simply another piece to the puzzle, just a piece that focuses on the human side. Mature Security Awareness programs effectively manage human risk through a three-step strategic process.
- Identifying an organization’s top human risks.
- Defining the key behaviors that most effectively manage those risks.
- Communicating to, training, and engaging your workforce so they exhibit those key behaviors.
New or immature awareness programs tend to start with, and focus only on step #3 (engagement), especially programs that are only compliance focused. However truly mature awareness programs, especially those integrated with the rest of their security efforts, also include and address the first two stages. For organizations to truly manage all elements of their cyber risk, they need to focus not only on technology, but also the human side. In follow-on posts, we will share more on how organizations can build and leverage a mature awareness program, enabling them to not only far more effectively manage and measure their human risk, but embed a much stronger security culture.
To learn more, also consider the two-day SANS course MGT433: Managing Human Risk or the more advanced five-day SANS course MGT521: Leading a Strong Security Culture.