Deana Elizonda profile picture

Editor's Note: Over the coming weeks we will post recaps of speakers' talks from the 3rd Annual Security Awareness Summit. Today Deana Elizondo from American Electric Power shares details from her talk and experiences from the summit. If you missed the summit, consider the European Security Awareness Summit 11 November in London.

This was my third SANS Awareness Summit (all of them AMAZING!!!) and I was very grateful to be able to share how Ambassadors, Champions, & Security Partners have helped us at American Electric Power (AEP). As one of the largest electric utilities in the United States our #1 goal at AEP is to protect the grid and keep the lights on! How long could hospitals, financial institutions, and grocery stores operate without power? For most of our customers, losing power is a real frustration; for some, it's a true emergency.

Anytime a new article or book comes out that talks about cyber security, especially in regards to electricity (such as Ted Koppel’s book “Lights Out: A Cyber Attack, A Nation Unprepared”), we get a lot of questions from our executives. Because of the attention from the Board of Directors and our Executives, we knew we had to step up our game and do a better job of educating ALL of our employees on cyber security risks and threats. The first step was creating the Security Ambassador role.

We created our Security Ambassador position 3 years ago. Ambassadors are Security Specialists within Security and are assigned to a business unit (BU) or region. They are the primary interface between the BU and our Security teams. Responsibilities include:

  • "Building Security In" to all IT projects for their BU, help their business unit identify and reduce Security risk!
  • Security education and awareness within their BU, they share current events and Security trends to help their customers understand the value and need for Security.
  • Attend twice weekly Intelligence Briefings to hear from the Incident & Response teams about specific impacts to AEP, pass along pertinent information to their customers.
  • Work very closely with their Security Champions.

We started our Security Champions program at the beginning of 2015. We had several Security projects we were going to be rolling out, such as Removable Media, Security Network Access Control, and Password & Authentication. Since many of our projects would be impacting everyone, we were looking for "Trusted Business Partners" to help us explain what was coming and why it was important.

  • They are among the first to learn about physical and cyber security programs.
  • The Champions attend monthly meetings where they get the latest news from Security and take that back to their BU, region, or Operating Company.
  • They help determine the best roll out time for their BU, test new tools, and provide feedback or concerns.
  • They share the user’s experience (good or bad) with Security so we can modify the application or tools to be more effective.

The Security Partner of the Month program started this year. We wanted a way to recognize people across the company who were very security conscious in their daily jobs.

  • Program Description: An opportunity to recognize partners who advance the AEP Security mission to protect people, information and assets.
  • Awards & Recognition: challenge coin, quality plaque, & picture/recognition in monthly Security newsletter.
  • Our Security newsletter is distributed to all employees and contractors each month and contains a feature article, monthly training video (SANS!), Security tips, and a whole page dedicated to the Security Partners of the Month (two per month).
  • We continue to get many applicants each month and those that are not selected roll into the next month to be considered.

Andrea Grable, who is our one and only full-time resource managing our Awareness Program, has also attended all three of these Summits. She manages the Champions Program and the Security Partners of the Month Program, and works very closely with the Ambassadors as they help with her headquarter and regional Awareness events. All three of these roles have been a great addition to our Awareness Program and are successful in helping us spread our Security messages. Thanks to Lance and the entire SANS Awareness team for a great Summit!

Bio:  Deana Elizondo is the manager of the Cyber Security Programs & Awareness team within the Cyber Risk & Security Services organization at American Electric Power. She has been with AEP for 12 years and has spent the last 7 years managing this team. Deana's team is responsible for Enterprise Security Policies & Standards, Security Training & Awareness, Security Project Management, and the Ambassador role.