In our first post about Executing Your Security Awareness Program we discussed putting together your Steering Committee, a team of 5-7 people to help you develop and improve your awareness program.  The second step is identifying who the target is of your awareness program.  WHO then determines what content you will teach and how you will communicate it.  Most security awareness programs start with employees/contractors, but also often just end there.  You most likely have other targets you need to reach, targets that require additional training or different communication methods.  The targets can include
  • IT Staff:  Just because someone is technical does not mean they are secure.  In addition, due to their privileged access IT Staff make a high value target.
  • Developers:  These are the people developing and configuring your applications, often applications directly facing the Internet.  Even some basic security awareness training can go a long way to creating more secure applications.
  • Help Desk:  These people are trained to help others, usually people they do not know or can physically see.  This makes them a primary target for social engineering.
  • Management:  Often a primary target, yet the least aware. Management often do not have time for awareness training, so you may need to develop a shortened version taught in person.
You may have other targets also you need to train.  The key factor is identifying these targets ahead of time so you can plan accordingly.  Also, I'm not suggesting that each target get its own, customized security awareness program.  While in the perfect world that would be great, we have to be realistic about limited time and resources.  In addition, the more customized each program is for each target, the more difficult it is to maintain your program over the years.  Instead, begin by developing your awareness content for your employees/contractors, or whichever target is the most important.  Then, use that as your core training.  Then modify that core training depending on the needs of other targets.  For example, with IT Staff you may want to add additional training on things such as not sharing technical details on public forums.   You most likely also need additional training for Help Desk and Developers.  For Management you may want to reduce it to key points that are relevant directly to them (time is always an issue with senior management).  By identifying key targets early in the program, you will have not only more impact, but can create more engaging training.