When working with organizations on security awareness and education, one of the first things I like to start with is asking 'why', what is their motivation? The motivations for deploying an awareness program often has a large impact on how it is designed, implemented and supported. It often determines the priorities of the topics, budget, who will be in charge of the program, who is the target of the program, etc. As such, you want to pay careful attention to the reasons of 'why'. To help you get started, these are the four most common motivations I have see.
- Compliance: I always shudder a bit when organizations state this is their primary motivation. If all an organization wants is the ability to check a box (be it for a PCI DSS audit, ISO 72001 review, etc) then I am concerned their goal is the minimum standard and invest the absolute minimum resources. This is often nothing more then some type of boring online training consisting of nothing more then power point slides. In addition the content is often poorly organized and out of date. For compliance purposes, organizations are more concerned that all possible topics are covered, and less concerned about prioritizing topics and communicating them effectively. Unfortunately it is awareness programs like these that have given awareness, and the concept of securing the human, a bad name. The problem is compliance is often the only way a security team can get management buy in or a budget. If compliance is the only way you can get management support, be sure you do not fall into the 'compliance trap' when planning your program.
- Clients / Partners: Sometimes an organization is not required or regulated by their industry to have security awareness and education, but their clients or partners do. For example law firms. Law firms bring on a variety of different clients that have different types of data and different regulations. For example if they are working on a health care related case, they may be using patient data which falls under HIPAA. If they are dealing with financial clients or processing merchants, they may be dealing with PCI DSS related data. As a result, the clients will require the law firms to have security awareness and education, as per their regulations. These situations can be more challenging as a variety of different needs must be met.
- Incident: As is often the case in security, it takes an incident to get the attention (and support) of management. Security awareness is no different. I worked with one client where awareness was a major issue after a password incident, specifically employees were sharing their passwords with supervisors. As a result of incidents, an awareness campaign was implemented with one of the key focuses on proper password use. The value add to a situation like this is management's focus is on awareness and education that makes a difference, not just check the box. If you find yourself in this situation, make sure you take advantage of it, but implement a comprehensive program that applys to the risks with most value.
- Mitigating Risk: This is best case scenario. This is when an organization understand's the risks of the human and wants to implement a comprehensive solution that makes a difference. Just as an organization would budget for, plan and deploy any other security solutions (encryption, patch management, single sign on, etc) they budget, plan for and deploy a comprehensive awareness solution with the goal of reducing risk. For me these are the most exciting programs, and usually the most challenging!
Do you see a common motivator for awareness programs missing? Let me know!