Since this magazine's inception, our CSO friends and sources have bemoaned the prevalence, throughout the enterprise, of wrong-headed views on what constitutes an excellent security mission and program. Frequently, the complaints have pointed explicitly to the upper organizational reaches—CEOs, other O's, boards of directors. But the problem of wrong-headed notions about security in general is often acknowledged to be both deep and widespread.
Some years ago, CSO interviewed famously colorful consultant Thornton May (see Why Security Needs to Blow Its Own Horn). May generalized about security executives: "These guys are gifted nonbranders! They couldn't sell water to a man on fire!"
We beg to differ. There is plenty that lies beyond a CSO's direct control. But we are here to tell you this: One thing CSOs do have control over, and accountability for, is the way the security program is perceived and understood within the enterprise. It all boils down to awareness, which is built through patient and relentless education and marketing—yes, marketing—about the importance of security as both the guardian and enabler of core business value.
An aggressive, well-designed and -executed security awareness program can help to transform the business culture, increase overall security program effectiveness and present the "brand" of the security function in a more positive, business-focused light. It can also help the security executive "sell up" to senior management and achieve the elusive goal of tight integration between business strategy and security practice.
CSO and the CSO Executive Council, an affiliated professional group, recently conducted an online survey aimed at gauging the current state and prevalence of awareness programs. Though training is certainly a subset, our survey defined formal security awareness programs as those that go beyond the basic training of newly hired employees to educate them about the organization's policies and procedures. Our definition cast awareness initiatives as more in line with a full and timely security curriculum, delivered to—and sometimes beyond—the enterprise in a variety of ways, and embodying many of the features of a highly effective marketing campaign.
The results of our survey are mainly encouraging, showing that a vast majority of respondents are more than ready to bottle and sell water in the hopes of making combustion of all kinds much less likely.
First, 74 percent of our 168 respondents said they have formal awareness programs in place that are at least one year old, though such programs range in maturity. Of these, 27 percent said they have young programs that are between one and two years old; that was the most popular answer. Of the remaining respondents, 18 percent were planning to launch a program. Only 8 percent did not have plans for an awareness program.
Existing awareness programs target, in varying degrees, multiple constituencies—from boards of directors to senior executives to rank-and-file employees and even, sometimes, outward to trading partners and customers. Boards of directors (50 mentions) were in nearly a dead heat with vendors (49 mentions) for getting the least awareness attention. Not surprisingly, employees (148 mentions) got the most. Senior management (123), business unit management (114) and CEOs (84) also got plenty of focus.
We also subdivided these audiences into specific functions. Not surprisingly, security, operations, IS/IT, HR and compliance were the top attention getters. Interestingly, among internal constituencies, engineering/manufacturing (68 mentions) and R&D (72 mentions) ranked near the bottom of the list. But the absolute low-vote total went to partners—those outside of the enterprise. (For a look at the value of treating awareness issues beyond your own walls, see "Building Key Alliances," opposite page).
There is recognition that different purposes (and audiences) call for different strategies. Take audiences, for example. Cherry Delaney, who is just launching a cybersecurity awareness initiative at Purdue University (see "Getting Started," Page 34) has identified three core audiences—staff, students and faculty—and has chosen to take them on one at a time (which makes sense because, for now, she's a one-person department). Delaney has plans to exploit the popularity with students of social networking sites like Facebook.com—a venue unlikely to be of much value in reaching staff, whom she is targeting with luncheons, live seminars and intranet-based interactive training.
Besides training (129 mentions), respondents use e-mail and newsletter alerts (119 mentions), slide presentations (103), live events and meetings (94), and the corporate intranet (93). A fun-loving 46 respondents said they use quizzes, games and other reward/recognition ploys to test the effectiveness of awareness messaging (see "Teaching Tangible Lessons," this page). Twenty-three said they hold live events explicitly for the CEO or board of directors.
We asked respondents to rate which areas of the business benefited most from their awareness efforts. By a nearly 2-to-1 margin, respondents cited reductions in operational risk (to employees or the business) over other risk areas such as customers or reputation and corporate or business-unit growth. This seems plausible, since the area of operational risk is perhaps the lowest-hanging fruit for awareness programs, the place where CSOs can most easily demonstrate benefits.
It is reasonable to infer that our survey may have self-selected believers in awareness activities. Still, the results show that the development of awareness programs is a growth sector. Especially worth noting in that regard is the high number of efforts that are either just getting going (18 percent) or have been running for fewer than two years (27 percent). Apparently, most of you have now moved beyond bemoaning ignorance and are now spreading enlightenment.
Teaching Tangible Lessons
Will Pelgrin?Director, Office of Cyber Security and Critical Infrastructure Coordination, State of New York
Awareness promotion strategy?Hands-on tests
Will Pelgrin says he was the kind of child who had to burn his finger on the hot stove before he understood his mother's warnings not to touch. "I'm sort of tactile in my approach to learning," says Pelgrin. "Until I touched it, I didn't really learn the lesson."
So, to recap: When it comes to learning lessons, listening is good, but experiencing is better.
Believing more people are like him than not, Pelgrin values the importance of a good tangible lesson. This led him to concoct an innovative awareness exercise in the spring and summer of 2005, when phishing was the scourge of the moment. "One thing I was concerned with was, you know, we send out advisories all the time, we send out alerts, we send out white papers. Were they resonating with the individuals I sent them to?"
Phishing's mechanisms were not as broadly understood then as they eventually became, and awareness defenses against it—the immune response to social engineering—weren't fully developed. Pelgrin's team had been working to spread the word in the usual ways. To test the effectiveness of his antiphishing campaign, he got permission to simulate a phishing attack and aim it at 10,000 New York state employees across five state agencies. "I wanted to see if we could make a bigger impact by demonstrating [the dangers of phishing] versus just [issuing] advisories saying here's what will happen if you fall prey to it."
In practical terms this meant crafting a phishing-style e-mail intended to trick recipients into surrendering their user IDs and passwords. The e-mail, purporting to come from Pelgrin's own agency, said that the state had just purchased a "password-checker" software program that could evaluate whether users' passwords were good or bad, and that it needed their access information in order to do its work.
"I figured this would be really blatant, but also somewhat enticing as well. It was a fake URL; it came from, allegedly, our [information security office] here, but the actual e-mail address was not the correct one. So if people were doing due diligence, we gave them absolute hints throughout. We didn't want to have it so foolproof that there was no opportunity for someone to sit back and say, Wait a second, something else is going on here.'"
The e-mail linked to a bogus webpage purporting to be an official state document. Pelgrin's team coordinated with the Anti-Phishing Working Group to make sure their design embodied the earmarks of a state-of-the-art phishing attack. The document included a form asking users for their IDs and passwords. As soon as a recipient placed his cursor inside either of the dialog boxes on the form, it was assumed he had fallen for the scam and the exercise automatically ended. "We didn't want anyone thinking we were [actually] going to capture secure or sensitive data."
(There's this weird double-negative thing at work here: A fake phishing e-mail goes out intended to fake-fool users by sending them to a fake-fake website where they end up being not really entrapped.)
According to Pelgrin, 15 percent of the 10,000 recipients fell prey to the simulated attack. Users deemed to have failed were sent to a brief online tutorial he authored on how to recognize a phishing attack; they were also shown a video on phishing from Microsoft and then presented with a quiz inviting them to view 10 websites and decide which were genuine and which were fake. (The quiz is available from Mail Frontier at www.sonicwall.com/phishing.) "I wanted this to be a very warm and fuzzy approach to learning," Pelgrin says.
Besides his enthusiasm for demonstrative learning, Pelgrin also extends his awareness work beyond New York to other states and government agencies, both through informal networking activities and through his chairing of the Multi-State ISAC (www.msisac.org), which hosts a Cyber Security Awareness Toolkit and other resources.
Building Key Alliances
Greg Halvacs?VP and CSO, Cardinal Health
Awareness promotion strategy?Get decision-makers involved
Greg Halvacs is a relationship builder. Just about every good thing that happens for Halvacs' security program grows out of the strong connections he's made with key people in the business. For example, when he headed up global security at Kraft (he joined Cardinal in April), he says, "I built strong relationships with quality [control]. Because nothing got done at Kraft unless there was a quality process [involved]. So getting the senior vice president of global quality on board and sharing, like on issues around the whole area of food protection, was a big win."
But Halvacs doesn't stop with top functional executives; he also works to create deep linkages across the entire organization. At Kraft, which has operations in 152 countries and at hundreds of sites, Halvacs identified and recruited between 300 and 400 "site coordinators," whom he empowered to be his local emissaries. (Note: Halvacs is a member of the CSO Executive Council.)
"We trained them on the basic elements, the basic X's and O's of Security 101," he says. "Because what I've found is that you'll never have a large [security] organization, so you have to empower the field and show them what they can do to prevent things." For example, while at Kraft he published a simplified field guide on how to handle investigations without needing someone from global security to parachute in (though, of course, there was a soft-sell bailout: "And if you need help, call us").
"Driving programs through the site coordinator is key so that there's [local] ownership. And the mantra of the day for us—what I pushed [at Kraft] and now at Cardinal—is to try to build self-sufficient programs. Give [functional leaders and site management] the information they need so they can make the best decisions," he says.
While CSOs often talk about creating a "culture of security," Halvacs recognizes that the diversity of internal organizations suggests that security programs have to exist in, and be transportable to, many different cultures. "Everybody has a different need and a different spin—whether it's a sales office or whether it's a manufacturing facility or a corporate office," he says.
Awareness programs can reach beyond the enterprise to touch suppliers and other trading partners. "At Kraft we did the same thing with our suppliers and comanufacturers [as we did internally]. We built awareness in baseline [programs] and standards that they had to follow. And we allowed them to plug in to our training and awareness resources," he says. Although imposing internal standards externally can be politically delicate, Halvacs says that "because we were very important customers of theirs, they would basically bend over backward." Again, his strategy was to have Kraft executives in the quality group, as the substantive owners of the supplier relationships, drive the third parties' compliance with global security's standards.