Cheryl Conley profile picture

Editor's Note:  Over the coming weeks we will post recaps of speakers' talks from the 3rd Annual Security Awareness Summit.  Today Cheryl Conley from Lockheed Martin shares details from her talk and her experiences from the summit. If you missed the summit, consider the European Security Awareness Summit 11 November in London.

The SANS summit was a great opportunity to bond with other passionate Security Awareness professionals and I'm looking forward to the STH Community cyber space discussions.  Based on the feedback and questions after the presentation on the LM (Lockheed Martin) Progressive Accountability and Awareness, thought I'd recap and provide a few keys points.

The agenda included a short brief on who we are at Lockheed Martin and where we've been since our strategy that began in late 2008, execution of The I Campaign(tm) in 2009, with our overall goal to provide teachable moments and drive to a more secure security culture.  The presentation then focused on our phishing program, our approach in tracking UA (Undesired Actions), recognition of ongoing issues with repeat offenders (clickers), and the success of the current program.

This effort entails escalating email notifications for ongoing UA's and diverse training opportunities mapped to those accelerating notifications.  This four step process begins with the first UA impacting the employee only with a Just In Time (JIT) training page; the second UA includes email to the employee copying the leader along with a short training course; with the third UA, the leader is provided the email with the employee copied, requesting the leader to reach out to the employee.  The fourth UA is handed over to the employee's human resource POC, along with the appropriate documentation for a verbal warning issued from HR.  To date, we have seen a 70% reduction in the fourth UA, with significant improvements in the previous steps.

In closing, we looked at some areas to consider related to any discussion of a disciplinary program:  company and corporate culture, unintended resource impacts, consider employee sensitivity, the need for diverse training opportunities, the importance of audit level proof documentation and the overall need for communication to the employee explaining the process.  

I was fortunate to have Carole and Rachael in attendance, two other LM Awareness professionals at the summit, allowing us to field many detailed questions during the two days.  Questions and discussions included obtaining executive support, employee reaction to the progressive process, leader perception and engagement, and metrics that help us pinpoint trouble spots.  We also had a significant number of participants interested in the LM tiered grading concept (which allows for trending of phishing difficulty), the intensity and rationale behind our monthly testing scheme, the actual phishing tool, and how we were able to increase reporting 11 fold over the years.  We've had a great run with enormous success, and I'm thankful and appreciative of the dedicated team at LM.

Special thanks to Lance and the STH team for an impactful, dynamic, valuable event!

BIO:  Cheryl Conley currently is the Lead for the Security Education and Awareness Team at Lockheed Martin.  She has a passion for education and awareness, enhancing security culture across the corporation, and teaches several courses in the IA arena.  The SANS Institute named Cheryl among its 2014 Difference Makers, along with the Lockheed Martin Excellence in Leadership Award for solving complex challenges LM faces in cyber security.