Security Awareness questions SECO needed answers to.
Families and businesses are serviced by SECO Energy in Central Florida.
Over 60% of security professionals spend less than a quarter of their time on security awareness.
Most security awareness officers grapple with these fundamental questions. Over 60% of security professionals spend less than a quarter of their time on security awareness and over 50% of these professionals have less than a $5000 budget, according to the 2016 Security Awareness Report by SANS Institute.
Having less resources and less time are defining characteristics of the modern security awareness officer. As head of all IT security with a purview ranging from analyzing packet traffic and network flows to security awareness training, time is precious and in short supply for Gabriel Sanchez of SECO Energy. Sanchez spends roughly 10-15% of his time on security awareness so he needs to be incredibly efficient, and effective, in the time he does spend on awareness.
So Sanchez decided to leverage proven tools, templates and pre-built resources to increase his impact across the entire organization.
Be resource efficient
Gabriel Sanchez is a one-man security awareness army. His goals mirror those of hundreds of other security awareness officers at organizations large and small: engage and train employees to exhibit more secure behaviors so they can be the front line of defense against cyber threats. As he built the security awareness training program at SECO, Sanchez had questions that needed answering in three main areas:
How mature is our awareness program and how do I take it to the next level?
What tools and resources do I need to implement the plan? What path do I need to take?
How can I show progress against the plan to key stakeholders?
About Seco Energy
SECO Energy is a not-for-proft electric cooperative serving nearly 200,000 families and businesses across seven counties in Central Florida. SECO Energy is the third largest electric co-op in Florida and the seventh largest in the nation. In 2015, SECO Energy was honored to be ranked “Highest in Customer Satisfaction among Midsize Utilities in the South,” by J. D. Power. In 2016 SECO Energy was ranked highest in customer satisfaction among all electric cooperatives nationally by J.D. Power.
Request a free demo of the our SANS Security Awareness End User product that has helped SECO Energy become more cyber secure.
For many years Sanchez used freely available security awareness resources from SANS Securing The Human including the OUCH! Newsletter, posters, videos and templates. When it came time to formally build a security awareness program, he purchased SANS Securing The Human End User and enrolled in the Management 433 class “How to Build, Maintain and Measure a High Impact Awareness Program.”
Getting the work done
“Our approach was to ease into it since it was a pretty big culture shift for us,” noted Sanchez when describing how he got started. He prioritized vulnerabilities and their potential impact on the organization to start. For SECO that meant social engineering (phishing), USB use and passwords. He went on to note, “We initially partnered with our safety department. Our strategy was to tie safety and cybersecurity together, and to really make them essentially the same. It’s a normal part of the culture here to have lots of safety meetings and for safety meetings to cover the entire cooperative. It made sense for us to continue with that and utilize some of the Securing The Human templates and methodology.”
Using the Security Awareness Maturity Model
Sanchez added, “We used the maturity model to say ‘OK, here’s where we are now. We’re at the beginning in the maturity model and here’s how we’re going to progress over time’.” Sanchez tried not to overdo it because he didn’t want to create so much shock to the culture that it wasn’t going to be successful.
The maturity model is really a beautiful thing, because it’s a map, a guide laid out for you and it’s been proven and utilized in other companies.
The maturity model became a central pillar to the program. Describing the impact of the model, Sanchez remarked, “It’s saved me a tremendous amount of time.”
Templates that work for you
One of the key ingredients enabling Sanchez to single-handedly build a security awareness program from the ground up has been his liberal use of pre-built SANS templates, particularly when it comes to the nuts and bolts of getting the work done. “I’m looking at our execution plan right now, it’s about twenty pages”, noted Sanchez. “If I had to do that from scratch, from the outline to the whole thing, it would have taken me double to triple the amount of time.
Beating the social engineers
For security awareness programs to grow they need to gain leadership support and the ever-elusive ‘executive buy-in.’ Sanchez remarked that “We were able to show (the plan) to upper management and get buy-in on it being a policy that people have to get security awareness training. For us, that was a first. And we’ve been around for 70+ years. Now we’re getting complete sign off from all upper management and buy-in, which is even more important.”
SECO is now in its second year of rolling out a formal security awareness program. They utilize many Securing The Human templates including the project charter, management support matrix and steering committee approach. Sanchez added, “Now we are up to the level where we have a steering committee of specific people within help desk, human resources, a VP and corporate communications.”
The power of SECO’s security awareness program came into full view after a key accounting staff member received an email with an attachment requesting a past due invoice be paid from a legitimate address and from what appeared to be a legitimate company. All the parts of the email were legitimate but the sum total of the message seemed off to the employee.
Over the preceding months Sanchez had reinforced core security awareness messages and secure behaviors with the accounting department. The awareness training and message had sunk in. And it changed behavior. The employee forwarded the email to IT for further inspection. It was an attempt to infect the employee’s computer system. Sanchez summarized the economic impact of the awareness training and change in behavior: “The savings from that small trigger
alert that went off in that person’s mind to alert us saved us nearly seven figures.”