"We need to address the behaviors of people within the organization. That is what we are trying to modify with our information security awareness programs," says Benjamin Brooks, who kicked off the session.
Brooks is a 19-year Navy veteran of Information Warfare, Electronic Warfare, and Special Warfare, and is Co-Founder of the Cyber Warrior Foundation.
He believes the point of an information security risk program is operational risk management, not just IT risk.
How do you begin a security awareness program?
Brooks suggests three key steps to setting up a security awareness program:
1. Identification of high-value assets
2. Communication: "We have to communicate why. Why are we trying to protect it? What is the actual risk?"
3. Look for best value implementation
How do you sell a security awareness program to your organization?
Dale Zabriskie, Security Awareness Evangelist at Proofpoint Security Awareness Training, is an expert on selling the value of a security awareness program.
And he shared some ideas on how you can do it to gain organizational support.
"In technology, when we get into bits and bytes, we take emotion out of it. But ultimately, the decisions being made by your organization to do something like security awareness are based on emotion. How is your effort going to help the organization succeed?"
A great way to take your company's emotional temperature, Zabriskie says, is to: "Read your company's annual report. This is your company's language. Be sure to read the risk factor section. Almost all companies say things about cyber risk."
And go beyond that, he says. Look at the operational risk factors the report details. Then explain how security awareness is going to reduce the odds of interrupted operations.
"Look at mission statements, vision statements, and things like that. How will your security awareness program apply to or help achieve those?"
He also suggests reading the book "Made to Stick" because it contains a communication framework that can help you reach others with your security message.
"If you sell the value of what you're doing for the company, they will find the money for you to do it. However, you have to know your audience, what is important to them."
What is the difference: security training vs. security awareness?
The terms security awareness and security training are often thrown around interchangeably. However, they are two different parts of a puzzle, according to Donna Gomez, Security Risk and Compliance Analyst for Johnson County, Kansas.
Gomez led the next part of the web conference.
"Awareness is like a highlight real. It's about engagement, it's about getting their attention," she says. "This can be frequent, perhaps related to something in the news or on social media."
And then there is security training.
"Training is the detailed part. Give them the meat of what they need to learn and need to apply. Hopefully, you also have some sort of policy they can read and refer to after the training is over."
Training, she says, also needs to give you evidence that employees have completed it. And it should be in line with your organization's policies and procedures.
Speed limits are posted, yet some drivers repeatedly speed and some get speeding tickets. Why do they do this? That's a good question.
But a why we can more easily answer is why are some people failing to adopt security awareness and training best practices?
"Was something lost in translation and I need to communicate differently? Or could some employees be under particular business demands that are taking all of their focus? Are they distracted in some other way?"
These things will help you assess your program and see ways you can help take next steps. She also suggests audience surveys to gain feedback from employees. How would they like to learn more about security?
For Donna Gomez, the best feeling is when she sees security culture change and employees become champions for doing business in a secure way: "It's like having carbon copies of yourself all over the company."
Additional tips: how can I build a security awareness program?
We've only hit the highlights here. There is much more in the SecureWorld web conference, Building an Effective Security Awareness Program, which is now available on-demand.
And be sure to check out the brand new SecureWorld cybersecurity podcast, The SecureWorld Sessions.