Goals and Objectives

After working with hundreds of organizations on their Security Awareness project planning, I’ve seen an emerging common trend.  One of the areas people seem to struggle with the most is establishing their overall awareness goals and objectives.  What is it they want to achieve with their program? It can be very difficult to build a successful security awareness program for employees if you don’t know what you want to achieve, and even more difficult to communicate that success to leadership.

I want to review what goals and objectives are and highlight how to successfully create and benchmark those within the security awareness realm. If you have a Project Management Office (PMO), get to know their definitions, such as Key Performance Indicators (KPIs) or Objectives and Key Results (OKRs).  

Goal is strategic, what do you want to achieve at a high level. 
Objective is a specific, a measurable result that help you achieve your goals. 

A fantastic teacher of mine once explained: goals are qualitative while objectives are quantitative

Regardless of the definition you use, the number one mistake I see people make, time and time again, is their goals and objectives state what they want to do. 

Planning

Goals and objectives need to focus on what you want to achieve.

For example, I would consider this a weak goal:

“Build a highly dynamic security awareness program that engages the workforce in a positive manner.”

While I love the intent, what is it in this statement that outlines what you want to achieve? What is the outcome? To me this is a WHAT statement, as in what you intend to do.  Instead, these goals are stronger in their statement, offering at a strategic level what you want to achieve:

“Achieve compliance with all required regulations and standards.”
“Identify and manage our human risk to an acceptable level.”
“Achieve Level 4 of the Security Awareness Maturity Model by 2022.”
 

Objectives are specific results that support your goals.  They should be quantifiable and measurable. As awareness programs mature, I think it becomes much easier to create specific objectives as you better understand your risks and what you want to do about them. Here are some examples I feel better support the goals listed above.

  1. Compliance with GDPR, PCI-DSS and GLBA.
  2. Identify and manage our top five human risks. (This is a more general objective. Good for newer programs where they're not sure where to start).
  3. Reduce costs related to human related incidents by $500,000.
  4. Reduce attacker dwell time by 40% by building a human sensor network.
  5. Ensure all workforce understands and follow our policies.
  6. Ensure all employees sign the AUP policy in their first three weeks.
  7. Reduce critical / severe bugs in our Internet facing code by 80%.
  8. Reduce accidental data-loss incidents by 70%.
  9. Maintain long-term leadership support by updating executives monthly.
  10. Implement a metrics program to track and report progress on our program. 

While goals and objectives can be difficult, they are essential to building the foundation to an effective awareness program. Avoid the common mistake of describing what you want to do and instead focus on what you want to achieve.

Which of the goals or objectives above do you like the most or least?  What goals or objectives have you set for your awareness program? 

many at computers

Learn more about building a mature awareness program and build your own custom project plan at the two-day SANS MGT433 course: Build, Maintain and Measure a Mature Awareness Program

Register today

 

About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.
Article
Crushing Cyber-Risk on an In-House Learning Management System
Humans and technology: We use it professionally, and socially, and everywhere in-between. The tools for training learners can be gathered in a few big buckets; training, simulation, and delivery. Many cybersecurity training program managers face challenges with the delivery of training via a Learning Management System (LMS).
Thumbnail
May 2, 2019
learning management system
LMS
Security Awareness Planning
Security Awareness Program Planning
Article
Goals and Objectives: Where to Start with Your Awareness Program
One of the areas people seem to struggle with the most is establishing their overall awareness goals and objectives. What is it they want to achieve with their program? It can be very difficult to build a successful security awareness program for employees if you don’t know what you want to achieve, and even more difficult to communicate that success to leadership.
Thumbnail
Jan 30, 2019
Security Awareness Planning
Security Awareness Program Planning
Article
Seven Keys to Success for a More Mature Security Awareness Program
If you’ve got your security awareness program up and running, don’t start that victory lap just yet. Implementing the program is only half of the battle. The most successful and mature...
Oct 29, 2018
SANS Security Awareness Report
Security Awareness Maturity Model
Security Awareness Program Planning