Editor's Note: Over the coming weeks we will post recaps of speakers' talks from the 3rd Annual Security Awareness Summit. Today Jason Hoenich from Sony shares details from his talk and experiences from the summit. If you missed the summit, consider the European Security Awareness Summit 11 November in London.
I am still reeling from this year’s SANS Security Awareness Summit! It was such a great event. We had two days to completely nerdout over the issues we were running into with our cyber security awareness programs, and even better? Learn about some really great solutions from others who have been through it. I was excited for this year’s summit, and then I was asked to present as a speaker, and then I wasn’t as excited anymore. THANKFULLY, I didn’t pass out or throw up all over myself in front of everyone, AND I think I was able to make a little sense in this crazy industry.
I’m a big DIY guy, whether it’s building a dining table or creating my own communications network. I had shared my solution to getting comms out efficiently on the STH forum once or twice, and Lance urged me to formalize my process and share it with others. So here is an overview of my “Executive Assistants: Hacking the Corp Comms Jungle” presentation at the 2016 SANS Security Awareness Summit. THE ISSUE:
- In a 100k user environment, pushing comms out was typically a complicated process which could take several days/weeks to plan and get scheduled.
- Information security communications couldn’t always operate within the “rules” of the corp comms approval processes.
- Needed to assure pertinent information & notifications could get to end users in an efficient, timely process (hours vs. days).
- For example, a situation where a phishing attack was live and not able to be filtered by applications.
THE FIX:
- Executive assistant network. To help get communications out efficiently, I turned to my built-in “social connectors”.
- As admin of the PhishMe program, I used my recipient list to filter roles. I ended up targeting Executive Assistants to EVP’s, however your hierarchy may require different roles. I chose this level because I could reduce the number of group members and maximize their “connection” strength. Most of these EVP EA’s could disseminate to the EA’s who support the senior leaders under the EVP.
- Lateral Umbrella Effect. I noticed through testing this effect, where one executive assistant would get the message, and share it with another executive assistant, it was like a chain reaction. Each executive assistant “opened their umbrella” and shared the message with their department.
TIPS:
- Get support from corp comm first, giving them the opportunity to have buy-in will give you a lot of success in the long run.
- Once you’ve identified the users you want to be in your new network, email them personally. It makes all the difference. I had a very high conversion rate because I did a two prong process: first email to give background and invite, and second was a 5 minute phone chat to answer questions (and sell the idea and your program).
- Know what you want from them. For me it was 1 request per quarter to share info, possibly an hour each quarter.
- Send them viral messages. The number one response to why they wanted to share information was that it was interesting and relevant.
- Surprise them with a thank you gift, after they’ve completed one request. I had Contigo water bottles printed with our department logo on them and hand delivered them to my EA’s to say thank you. They loved it.
Bio: Jason Hoenich is the Manager of Security Awareness & Training for Sony Pictures Entertainment, and previously for The Walt Disney Company. Jason has spent more than 10 years helping end users be safer online, and developing world class programs for some of the biggest names in entertainment & media. Fun fact: Jason listens to audiobooks at a speed of 1.5x, and was recently told that his “fun fact”. Jason has developed a niche for producing funny & engaging security awareness videos and has recently launched a new series at http://hashtagawareness.com.
