In our first post about Executing Your Security Awareness Program we discussed putting together your Steering Committee, a team of 5-7 people to help you develop and improve your awareness program. The second step is identifying who the target is of your awareness program. WHO then determines what content you will teach and how you will communicate it. Most security awareness programs start with employees/contractors, but also often just end there. You most likely have other targets you need to reach, targets that require additional training or different communication methods. The targets can include
- IT Staff: Just because someone is technical does not mean they are secure. In addition, due to their privileged access IT Staff make a high value target.
- Developers: These are the people developing and configuring your applications, often applications directly facing the Internet. Even some basic security awareness training can go a long way to creating more secure applications.
- Help Desk: These people are trained to help others, usually people they do not know or can physically see. This makes them a primary target for social engineering.
- Management: Often a primary target, yet the least aware. Management often do not have time for awareness training, so you may need to develop a shortened version taught in person.