MGT433: Securing The Human: How to Build, Maintain and Measure a High-Impact Awareness Program
I'm running a global program as a team of one. The networking is invaluable.
This course is a must for enhancing the overall security posture for any organization.
Organizations have invested a tremendous amount of money and resources into securing technology, but little, if anything, into securing the human element. As a result, people are now the weakest link; the simplest way for cyber attackers to hack into any organization is to target your employees. One of the most effective ways to secure the human element is to build an active awareness and education program that goes beyond just compliance and changes behaviors. In this challenging course you will learn how to do just that. You will learn the key concepts and skills needed to build, maintain and measure a high-impact security awareness program. All course content is based on lessons learned from hundreds of organizations around the world. In addition, you will learn not only from extensive interaction with the instructor, but from working with your peers, as well. Finally, through a series of labs and exercises, you will develop your own project and execution plan, so that you can immediately implement your own customized awareness program upon returning to your organization.
Laptop is not required. However, what is recommended is a passion to discuss and share your experiences and lessons learned in security awareness.
MGT433.1: Planning and Building
Thu May 8th, 2014
9:00 AM - 5:00 PM
CPE/CMU Credits: 6
- Learn the five stages of the security awareness maturity model
- Define the elements of risk and their role in awareness
- Learn why humans are so vulnerable and how cyber attackers can exploit these vulnerabilities
- Define the learning continuum: awareness, training and education
- Steps to gain management support and a budget
- Developing a steering committee / advisory board
- Beginning the planning phase with a project charter
- Answering the three key questions during the planning phase: who, what and how
- Who: Identifying the different targets of your awareness program. Whose behaviors do you want to change?
- What: Identifying and prioritizing the topics that will have both the greatest impact on your organization and ensure you are compliant. This includes going through a human risk analysis step-by-step and identifying the top ten key human risks to your organization
- Discuss the importance of learning objectives for each key human risk and how to identify and document those learning objectives
MGT433.2: Implement and Maintain
Fri May 9th, 2014
9:00 AM - 5:00 PM
CPE/CMU Credits: 6
- How: Understand your organization's culture and the impact that it has on how you will communicate your awareness program.
- How to effectively engage people and create a program they want to take. The ultimate goal is to have a program that makes employees ask if their families can take the training.
- Effective use of imagery
- How to handle translations
- The two different communication methods: primary and reinforcement
- Discuss the two different methods for primary training and the advantages/disadvantages of each
- How to effectively present and communicate to people in person.
- How to effectively communicate using Computer-Based Training (CBT) or eLearning, including use of an LMS
- Different reinforcement methods, including newsletters, posters, blogs and podcasts, and the different advantages/disadvantages of each
- Designing and using metrics to measure the impact of your awareness program, to include how to effectively run phishing assessments
- Updating and improving your program
- Walk through the final planning and execution steps, to include putting together an execution checklist and final plan
"The Who and What of training and awareness is just what I needed to take back home." - David Nix - Department of Energy
"Soup to nuts, this class covers the entire designing, building, deploying and measuring an effective security awareness program." - Chris Sorensen - GE Capital
Who Should Attend
- Security awareness training officers
- Chief Security Officers (CSO's) and security management
- Security auditors, governance, and compliance officers
- Training, human resources and communications staff
- Organizations regulated by Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Family Educational Rights and Privacy Act (FERPA), Payment Card Industry-Data Security Standards (PCI-DSS), ISO/IEC 27001, Family Educational Rights and Privacy Act (FERPA), Sarbanes-Oxley Act (SOX), or any other compliance driven standards.
- Anyone responsible for planning, deploying, or maintaining an awareness program
After being actively involved in information security for over fifteen years I have seen one constant factor, employees are the weakest link. What amazes me is so many people agree on this point, but so few organizations do anything about it. I'm determined to change that. I am extremely excited about Securing the Human, as we provide organizations the skills they need to build an effective awareness program and secure their employees. By securing the human, organizations will not only be fully compliant but be far more secure then they could ever be with just technology alone. - Lance Spitzner