If you’ve got your security awareness program up and running, don’t start that victory lap just yet. Implementing the program is only half of the battle. The most successful and mature security awareness programs not only change behavior and culture, but they are also able to measure and demonstrate their value via a robust metrics framework.
Established in 2011, the SANS Maturity Model was conceived through a coordinated effort of over 200 awareness officers. Organizations are steadily finding this to be a simple yet powerful tool, both as a roadmap for their own program and a communication tool for leadership.
Over half of the respondents from the 2018 Security Awareness Report revealed they believed their awareness programs are somewhere around stage 3, steadily maturing to the promoting awareness and behavior change stage of the Maturity Model.
This reveals that organizations struggle to both measure and communicate that maturity to their leadership. Here are seven keys to success for a more mature security awareness program:
- Gain Leadership Support
Identify the key areas in which your program will address. Ask yourself, how does the security awareness program address the human element of cyber risk? Who has overall responsibility for the program? Who is in charge?
- Create a Security Awareness Advisory Board
A Security Awareness Advisory Board is a team of people that awareness professionals gather to help them plan and maintain the program. There isn’t a limit to the job description. It can consist of human resources, marketing, key executives and other important departments within your organization. Create a cross-functional team with key members representing a variety of key business roles and teams. This will lead to a more robust program.
- Get Specific on Who Your Target Groups Are
Different target groups within your organization have various risks factors and behaviors that need changing. The type, frequency, and modality of the training you administer to them will vary. Outline each target group you plan to administer training to, listing to the characteristics of each group.
- Identify and Prioritize your Human Risks
Research is your friend. The annual SANS Security Awareness Report and Verizon’s Database Breach Incident Report (DBIR) are two places to go to get an idea of overall issues and risk assessments. Look into any and all incidents that have occurred within your organization and document. List out the areas where your company seems to consistently fall short.
- Communicate to and Engage Your Target Groups
The most effective way to communicate within target groups varies by organization. Different subcultures within organizations may have preferred methods of communicating. Some may value information shared in a newsletter, while others get info from more technology-driven methods. How will you share the information about your program and what will you do to reinforce it? Consider a variety of reinforcement tools such as posters, events, lunch-n-learns, or software communication tools.
- Update and Improve
Once you’ve launched your program – it’s critical that you keep it updated. Risks evolve and change and so should your program. Besides keeping pulse on the type of risk you are training for, you should regularly meet with your advisory board to check the pulse of who you are delivering your training to, how you are doing it and why you deliver the training in the methods you do.
To successfully grow a security awareness program, a measurement program should be in place. Compliance metrics such as who and when did target groups take the training you’ve assigned or how many people attended an event give you important information about the effectiveness of your training. Surveys are also good for measuring people’s understanding of organizational policy and their beliefs toward information security.
Learn more about measuring success and using the SANS Security Awareness Maturity Model to benchmark your awareness program.
Download our interactive, complimentary poster, The Anatomy of a Successful Awareness Program, which visually identifies the seven key steps toward building, maintaining, and measuring a mature security awareness program.