Security Awareness Maturity Model arrow

Editor's Note: Over the coming weeks we will post recaps of speakers' talks from the 3rd Annual Security Awareness Summit. Today Janet Roberts from Zurich Insurance shares details from her talk and experiences from the summit. If you missed the summit, consider the European Security Awareness Summit 11 November in London.

Building a security awareness program is kind of like building a house.  You’ve got to start with the foundation or the basement and move on to the framework before you add windows, siding, flower boxes, landscaping and more.  It is 4-5 years to solid maturity with year-over-year metrics and trending. But there’s always a handful of folks who are like the child in the back seat of the car on a vacation trip asking “Dad are we there yet?” They want to see immediate metrics, a full blown security awareness month event, lots of phish training and more - right away!  They want the visible and very pretty flower boxes, even if they are hanging off an unsecured framework.  This is where the Security Awareness Maturity Model is helpful, and at times, yes, it’s your new BFF (Best Friend Forever!) It’s pretty simple, really.

  1. Mark with a red arrow where your program began on the Maturity Model.
  2. Mark with a red arrow where your program is right now on the Maturity Model
  3. Insert a text box that states going from “No Program” to “Long Term Sustainability/Metrics” takes 5 years
  4. Insert a text box with the Solutions you’ve created to move along the Maturity Model
  5. Insert another text box with the Challenges you face.
  6. Keep the text box content to 3-4 bullet points
  7. Reassess where you stand on the Maturity Model every 6 months.

Now, hang that Maturity Model up in your cubicle or office.  Insert that Maturity Model into presentations, especially if they are to leadership, and regular reporting around your program.  Help people see the Past | Present | Future of your program build in 5-10 seconds. Have a list ready of what you need to keep moving along the maturity model so that when a senior leader says “So what will it take to get to full metrics reporting and long term sustainability” you have a ready answer to obtain the much needed help you’ve been wishing for!

If you’re working in a corporation in this day and age, corporate reorganizations and restructuring are a way of life and ongoing changes in the growing field of information security add to that tension.  Layer on the difficulties most security awareness programs have getting support and cooperation from corporate communications, fighting for budgetary needs, and working projects through sign-off and you need a quick way to get people evangelizing for you and opening the doors you need opened.

I also recommend hanging the SANS Security Awareness Roadmap poster in a prominent well trafficked area of the office or in your office/cube area to generate good discussions with people who are curious about security awareness but don’t fully understand what it takes to get there.  I hung one over the copy machine and another between where the Incident Response and Threat Intel teams sit! Encourage people to ask you questions about the Roadmap and your program and ask them what, on the roadmap, they think fits your company culture and structure. Overall, as you build your security awareness house, here are my lessons learned and recommendations:

  1. More pictures/less talking: Use visual aids to help people “see” what you’re trying to accomplish
  2. Use an easy design: The Maturity Model in presentations helps busy people get a complete picture quickly
  3. Make it personal: People need to connect personally to your program. Show where they fit into supporting your program build.
  4. Give easy talking points: Help them take quick messages with them and evangelize for you
  5. Say “thank you”: It’s great for relationship building and makes people like to go the extra mile for you!

BIO: Janet Roberts, Global Head of Security Education, Awareness & Training (SETAP) at Zurich Insurance:  Janet Roberts joined Zurich Insurance in March 2015 as the Global Head of Security Awareness tasked with building the first security awareness program across Zurich, Zurich North America, and Farmers Insurance. Prior to Zurich, she built the first security awareness program for Progressive Insurance and re-designed the security awareness program at American Express.  She holds a B.A. in Journalism from Temple University and an M.A. in Communications from Edinboro University of Pennsylvania. When she’s not building security awareness programs, she’s writing and self-publishing novels, as well as speaking at libraries and to writers groups. You can check out her work at