After working with hundreds of organizations on their Security Awareness project planning, I’ve seen an emerging common trend. One of the areas people seem to struggle with the most is establishing their overall awareness goals and objectives. What is it they want to achieve with their program? It can be very difficult to build a successful security awareness program for employees if you don’t know what you want to achieve, and even more difficult to communicate that success to leadership.
I want to review what goals and objectives are and highlight how to successfully create and benchmark those within the security awareness realm. If you have a Project Management Office (PMO), get to know their definitions, such as Key Performance Indicators (KPIs) or Objectives and Key Results (OKRs).
Goal is strategic, what do you want to achieve at a high level.
Objective is a specific, a measurable result that help you achieve your goals.
A fantastic teacher of mine once explained: goals are qualitative while objectives are quantitative.
Regardless of the definition you use, the number one mistake I see people make, time and time again, is their goals and objectives state what they want to do.
Goals and objectives need to focus on what you want to achieve.
For example, I would consider this a weak goal:
“Build a highly dynamic security awareness program that engages the workforce in a positive manner.”
While I love the intent, what is it in this statement that outlines what you want to achieve? What is the outcome? To me this is a WHAT statement, as in what you intend to do. Instead, these goals are stronger in their statement, offering at a strategic level what you want to achieve:
“Achieve compliance with all required regulations and standards.”
“Identify and manage our human risk to an acceptable level.”
“Achieve Level 4 of the Security Awareness Maturity Model by 2022.”
Objectives are specific results that support your goals. They should be quantifiable and measurable. As awareness programs mature, I think it becomes much easier to create specific objectives as you better understand your risks and what you want to do about them. Here are some examples I feel better support the goals listed above.
- Compliance with GDPR, PCI-DSS and GLBA.
- Identify and manage our top five human risks. (This is a more general objective. Good for newer programs where they're not sure where to start).
- Reduce costs related to human related incidents by $500,000.
- Reduce attacker dwell time by 40% by building a human sensor network.
- Ensure all workforce understands and follow our policies.
- Ensure all employees sign the AUP policy in their first three weeks.
- Reduce critical / severe bugs in our Internet facing code by 80%.
- Reduce accidental data-loss incidents by 70%.
- Maintain long-term leadership support by updating executives monthly.
- Implement a metrics program to track and report progress on our program.
While goals and objectives can be difficult, they are essential to building the foundation to an effective awareness program. Avoid the common mistake of describing what you want to do and instead focus on what you want to achieve.
Which of the goals or objectives above do you like the most or least? What goals or objectives have you set for your awareness program?
Learn more about building a mature awareness program and build your own custom project plan at the two-day SANS MGT433 course: Build, Maintain and Measure a Mature Awareness Program
