Last month we kicked of a blog series on the 4 W's in building an effective awareness program. In the first post we explained that to effectively manage human risk organizations need to answer four key questions; WHY, WHO, WHAT and HOW. We then started with the first of those four questions, the WHY part. Today we focus on the second question - WHO.
WHO, simply put, asks who is the target of your security awareness program. WHO determines what you will teach people and how you will teach them. Unfortunately, most organizations skip this part by simply stating everyone. Who is everyone? Most likely this means employees, but what about part-time employees, contractors, vendors, volunteers or perhaps even customers? Is your awareness program going to include just one country or offices in all countries around the world. Starting with WHO forces you to define the scope of your awareness program.
However WHO also goes beyond just scope. By defining your targets you can better define WHAT you need to train people on and HOW you will train them. Quite often I see organizations define their WHO as all employees. That can be a good place to start, as most of your organization may require the same baseline of training (what we call core training). But a good sign of a more mature awareness program is one that goes beyond just everyone and defines additional target groups that require additional or more specialized training. For example, target groups such as developers, IT staff, senior leadership, or ICS engineers. Each one of these groups not only has additional or specialized training requirements (such as OWASP / SDLC for developers or privileged access for IT staff) but HOW you communicate to them (such as for senior leadership). One of the things we developed in the SANS MGT433 course is a series of templates to help answer the 4 W's. For WHO we like to ask the following questions.
- Target: What is the title of your target group?
- Description: Define your target group. A great source for this may be Human Resources.
- Why: Why is this a target group, what makes them special or unique?
- Location: Where is this target group located, where are they based?
- Unique Risks: What unique risks do they have? This will determine WHAT we have to teach them, what behaviors we need to change.
- Unique Learning Requirements: How can we most effectively communicate to this target group? How do they like to learn? Do we need to translate the training?
Not sure where to answer these questions? Go for help. The first is Human Resources, they understand your organization's workforce. Second, try the Help Desk, they have all the internal gossip on what is going on. Third, spend a day with the target group, live in their world and gain a better understanding of their concerns, goals and how they like to communicate. For an immature security awareness program or one just starting, your target group is most likely going to be everyone. But as you mature, and as you begin to better understand your human risks, you will most likely identify additional targets that require different or additional training. By better understanding WHO those targets are, you will have a far more effective security awareness program.