Security Awareness Programs: Now Hear This!

Awareness programs are the cheapest way to prevent costly problems, but the security message can be easy to ignore. CSOs and CISOs share their strategies for spreading the good word.

Since this magazine's inception, our CSO friends and sources have bemoaned the prevalence, throughout the enterprise, of wrong-headed views on what constitutes an excellent security mission and program. Frequently, the complaints have pointed explicitly to the upper organizational reaches—CEOs, other O's, boards of directors. But the problem of wrong-headed notions about security in general is often acknowledged to be both deep and widespread.

Some years ago, CSO interviewed famously colorful consultant Thornton May (see Why Security Needs to Blow Its Own Horn). May generalized about security executives: "These guys are gifted nonbranders! They couldn't sell water to a man on fire!"

We beg to differ. There is plenty that lies beyond a CSO's direct control. But we are here to tell you this: One thing CSOs do have control over, and accountability for, is the way the security program is perceived and understood within the enterprise. It all boils down to awareness, which is built through patient and relentless education and marketing—yes, marketing—about the importance of security as both the guardian and enabler of core business value.

An aggressive, well-designed and -executed security awareness program can help to transform the business culture, increase overall security program effectiveness and present the "brand" of the security function in a more positive, business-focused light. It can also help the security executive "sell up" to senior management and achieve the elusive goal of tight integration between business strategy and security practice.

CSO and the CSO Executive Council, an affiliated professional group, recently conducted an online survey aimed at gauging the current state and prevalence of awareness programs. Though training is certainly a subset, our survey defined formal security awareness programs as those that go beyond the basic training of newly hired employees to educate them about the organization's policies and procedures. Our definition cast awareness initiatives as more in line with a full and timely security curriculum, delivered to—and sometimes beyond—the enterprise in a variety of ways, and embodying many of the features of a highly effective marketing campaign.

The results of our survey are mainly encouraging, showing that a vast majority of respondents are more than ready to bottle and sell water in the hopes of making combustion of all kinds much less likely.

First, 74 percent of our 168 respondents said they have formal awareness programs in place that are at least one year old, though such programs range in maturity. Of these, 27 percent said they have young programs that are between one and two years old; that was the most popular answer. Of the remaining respondents, 18 percent were planning to launch a program. Only 8 percent did not have plans for an awareness program.

Existing awareness programs target, in varying degrees, multiple constituencies—from boards of directors to senior executives to rank-and-file employees and even, sometimes, outward to trading partners and customers. Boards of directors (50 mentions) were in nearly a dead heat with vendors (49 mentions) for getting the least awareness attention. Not surprisingly, employees (148 mentions) got the most. Senior management (123), business unit management (114) and CEOs (84) also got plenty of focus.

We also subdivided these audiences into specific functions. Not surprisingly, security, operations, IS/IT, HR and compliance were the top attention getters. Interestingly, among internal constituencies, engineering/­manufacturing (68 mentions) and R&D (72 mentions) ranked near the bottom of the list. But the absolute low-vote total went to partners—those outside of the enterprise. (For a look at the value of treating awareness issues beyond your own walls, see "Building Key Alliances," opposite page).

There is recognition that different purposes (and audiences) call for different strategies. Take audiences, for example. Cherry Delaney, who is just launching a cybersecurity awareness initiative at Purdue University (see "Getting Started," Page 34) has identified three core audiences—staff, students and faculty—and has chosen to take them on one at a time (which makes sense because, for now, she's a one-person department). Delaney has plans to exploit the popularity with students of social networking sites like Facebook.com—a venue unlikely to be of much value in reaching staff, whom she is targeting with luncheons, live seminars and intranet-based interactive training.

Besides training (129 mentions), respondents use e-mail and newsletter alerts (119 mentions), slide presentations (103), live events and meetings (94), and the corporate intranet (93). A fun-loving 46 respondents said they use quizzes, games and other reward/recognition ploys to test the effectiveness of awareness messaging (see "Teaching Tangible Lessons," this page). Twenty-three said they hold live events explicitly for the CEO or board of directors.

We asked respondents to rate which areas of the business benefited most from their awareness efforts. By a nearly 2-to-1 margin, respondents cited reductions in operational risk (to employees or the business) over other risk areas such as customers or reputation and corporate or business-unit growth. This seems plausible, since the area of operational risk is perhaps the lowest-hanging fruit for awareness programs, the place where CSOs can most easily demonstrate benefits.

It is reasonable to infer that our survey may have self-selected believers in awareness activities. Still, the results show that the development of awareness programs is a growth sector. Especially worth noting in that regard is the high number of efforts that are either just getting going (18 percent) or have been running for fewer than two years (27 percent). Apparently, most of you have now moved beyond bemoaning ignorance and are now spreading enlightenment.

Teaching Tangible Lessons

Will Pelgrin?Director, Office of Cyber Security and Critical Infrastructure Coordination, State of New York

Awareness promotion strategy?Hands-on tests

Will Pelgrin says he was the kind of child who had to burn his finger on the hot stove before he understood his mother's warnings not to touch. "I'm sort of tactile in my approach to learning," says Pelgrin. "Until I touched it, I didn't really learn the lesson."

So, to recap: When it comes to learning lessons, listening is good, but experiencing is better.

Believing more people are like him than not, Pelgrin values the importance of a good tangible lesson. This led him to concoct an innovative awareness exercise in the spring and summer of 2005, when phishing was the scourge of the moment. "One thing I was concerned with was, you know, we send out advisories all the time, we send out alerts, we send out white papers. Were they resonating with the individuals I sent them to?"

Phishing's mechanisms were not as broadly understood then as they eventually became, and awareness defenses against it—the immune response to social engineering—weren't fully developed. Pelgrin's team had been working to spread the word in the usual ways. To test the effectiveness of his antiphishing campaign, he got permission to simulate a phishing attack and aim it at 10,000 New York state employees across five state agencies. "I wanted to see if we could make a bigger impact by demonstrating [the dangers of phishing] versus just [issuing] advisories saying here's what will happen if you fall prey to it."

In practical terms this meant crafting a phishing-style e-mail intended to trick recipients into surrendering their user IDs and passwords. The e-mail, purporting to come from Pelgrin's own agency, said that the state had just purchased a "password-checker" software program that could evaluate whether users' passwords were good or bad, and that it needed their access information in order to do its work.

"I figured this would be really blatant, but also somewhat enticing as well. It was a fake URL; it came from, allegedly, our [information security office] here, but the actual e-mail address was not the correct one. So if people were doing due diligence, we gave them absolute hints throughout. We didn't want to have it so foolproof that there was no opportunity for someone to sit back and say, Wait a second, something else is going on here.'"

The e-mail linked to a bogus webpage purporting to be an official state document. Pelgrin's team coordinated with the Anti-Phishing Working Group to make sure their design embodied the earmarks of a state-of-the-art phishing attack. The document included a form asking users for their IDs and passwords. As soon as a recipient placed his cursor inside either of the dialog boxes on the form, it was assumed he had fallen for the scam and the exercise automatically ended. "We didn't want anyone thinking we were [actually] going to capture secure or sensitive data."

(There's this weird double-negative thing at work here: A fake phishing e-mail goes out intended to fake-fool users by sending them to a fake-fake website where they end up being not really entrapped.)

According to Pelgrin, 15 percent of the 10,000 recipients fell prey to the simulated attack. Users deemed to have failed were sent to a brief online tutorial he authored on how to recognize a phishing attack; they were also shown a video on phishing from Microsoft and then presented with a quiz inviting them to view 10 websites and decide which were genuine and which were fake. (The quiz is available from Mail Frontier at www.sonicwall.com/phishing.) "I wanted this to be a very warm and fuzzy approach to learning," Pelgrin says.

Besides his enthusiasm for demonstrative learning, Pelgrin also extends his awareness work beyond New York to other states and government agencies, both through informal networking activities and through his chairing of the Multi-State ISAC (www.msisac.org), which hosts a Cyber Security Awareness Toolkit and other resources.

Building Key Alliances

Greg Halvacs?VP and CSO, Cardinal Health

Awareness promotion strategy?Get decision-makers involved

Greg Halvacs is a relationship builder. Just about every good thing that happens for Halvacs' security program grows out of the strong connections he's made with key people in the business. For example, when he headed up global security at Kraft (he joined Cardinal in April), he says, "I built strong relationships with quality [control]. Because nothing got done at Kraft unless there was a quality process [involved]. So getting the senior vice president of global quality on board and sharing, like on issues around the whole area of food protection, was a big win."

But Halvacs doesn't stop with top functional executives; he also works to create deep linkages across the entire organization. At Kraft, which has operations in 152 countries and at hundreds of sites, Halvacs identified and recruited between 300 and 400 "site coordinators," whom he empowered to be his local emissaries. (Note: Halvacs is a member of the CSO Executive Council.)

"We trained them on the basic elements, the basic X's and O's of Security 101," he says. "Because what I've found is that you'll never have a large [security] organization, so you have to empower the field and show them what they can do to prevent things." For example, while at Kraft he published a simplified field guide on how to handle investigations without needing someone from global security to parachute in (though, of course, there was a soft-sell bailout: "And if you need help, call us").

"Driving programs through the site coordinator is key so that there's [local] ownership. And the mantra of the day for us—what I pushed [at Kraft] and now at Cardinal—is to try to build self-sufficient programs. Give [functional leaders and site management] the information they need so they can make the best decisions," he says.

While CSOs often talk about creating a "culture of security," Halvacs recognizes that the diversity of internal organizations suggests that security programs have to exist in, and be transportable to, many different cultures. "Everybody has a different need and a different spin—whether it's a sales office or whether it's a manufacturing facility or a corporate office," he says.

Awareness programs can reach beyond the enterprise to touch suppliers and other trading partners. "At Kraft we did the same thing with our suppliers and comanufacturers [as we did internally]. We built awareness in baseline [programs] and standards that they had to follow. And we allowed them to plug in to our training and awareness resources," he says. Although imposing internal standards externally can be politically delicate, Halvacs says that "because we were very important customers of theirs, they would basically bend over backward." Again, his strategy was to have Kraft executives in the quality group, as the substantive owners of the supplier relationships, drive the third parties' compliance with global security's standards.

Asked what he thinks the "killer benefit" of awareness benefits is, Halvacs alludes to a core CSO challenge: getting key decision-makers to respond appropriately in a potentially volatile situation. "It's knowing when to pick up the phone when they get in trouble, from the very first, and not screwing something up and shoving it under the rug. [It's getting] the light to come on when they're in the middle of the situation," before it spirals into crisis. "That, I think, is the biggest bang for the buck," he says.

Halvacs says good awareness programs can help drive home to senior management the ROI of proactive security initiatives. He cites background screening and drug testing. "Those are real numbers, you know, because the government says [drug abuse costs a business] anywhere from $10,000 to $12,000 per employee" annually (in health claims, sick time, workers' comp and on-the-job injuries). Adding drug testing to preemployment background screenings can save a business $1 million a year for every 100 high-risk applicants it doesn't hire. "You can really show the ROI, or cost avoidance," Halvacs says.

So, how would he advise someone just starting an awareness program? "I would definitely do some due diligence and work at the high level—the VP, senior VP level. Ask what are the needs in their organizations, what's keeping them up at night. I think, more than anything, it's building relationships at the top," he says. "Really, the key word is partnership."

Getting Started

Cherry Delaney?Coordinator of Security Awareness and Outreach, Purdue University

Awareness promotion strategy?Divide and conquer unruly constituencies

When launching a security awareness program, you may find it hard to know where to begin and harder still to stick to your strategic plan—all that flagrant lack of awareness crying out for remediation! Cherry Delaney, Purdue University's coordinator of security awareness and outreach, faces the tug of competing priorities on a daily basis.

Delaney, a 10-year IT veteran who is just eight months down the road toward creating the school's first cybersecurity awareness program, is a lone ranger patrolling an uneasy range. "There's just one of me," she says. And Purdue, based in West Lafayette, Ind., is like other universities, committed to traditions of open inquiry and free-flowing information.

Academic culture is thus a double-edged sword that presents special challenges to a security program. "That is a problem. We do really try to stay open," acknowledges Delaney. "And so hackers, or whoever, are hitting us harder than [they do] corporate sites, because we don't nail things down; we don't shut down as much as [businesses] do to control things."

Add to that the regular turnover of significant percentages of the user community—students, staff and faculty who come and go with each new semester—and you have awareness issues of extra complexity.

As with any unbegun awareness program, there's no wrong time to start one. But, in Purdue's case, why now? "We had a breach of Social Security numbers last year," says Delaney, "and that really heightened [the interest in improving awareness]. Making national headlines is not a good thing."

That Purdue breach, along with other well-publicized data mishaps in both government and the private sector, got people tuned in much more urgently to the fact that Purdue "needed to have some kind of marketing communication and training in awareness." Moreover, Indiana, like many other states, recently passed legislation governing Social Security disclosure and breach notification, placing new liability on institutions of all kinds.

Delaney's launch strategy has been to address the university's three blocks of users—staff, students and faculty—one constituency at a time. She chose to start with university staff, in part because they, more than students or faculty, would be subject to the state's new data-handling requirements. Plus, after nine years spent in Purdue's IT function, Delaney is well-acquainted and has influence with that group. "It's not that I'm doing nothing for students and faculty," she says. It's just that she's trying to remain focused on first things first and not allow herself to be run in too many directions.

In getting the word out about security priorities, Delaney relies on departmental luncheons, webcasts, podcasts and low-cost campuswide publicity (pitching security-related stories to The Exponent, Purdue's daily student newspaper, and Inside Purdue, a publication for faculty and staff). In October she held a staffwide Security Awareness Month, featuring daylong presentations on the most urgent data security issues: encryption, data security on the road and working from home, information classification and the operational requirements of the new state regulations.

One challenge is communicating with her various audiences in terms that will resonate with each. "You have different levels of expertise you have to talk to," she says. And not only expertise but frames of reference. "I mean, not as many staff people are going to be on Facebook.com [a social networking site popular with collegians] as students. So you've got different issues, depending on the demographics of the people you're trying to reach," she says.

Faculty members represent perhaps the toughest nut to crack. They enjoy plenty of authority and autonomy. For that reason they are a little like lawyers or physicians—two famously tough groups to domesticate to habits of right behavior that may seem in conflict with their sense of mission. That reality makes it clear why Delaney might want to get her game face on by tuning up with the friendly staff.?

Lew McCreary, CSO's former editor in chief, is a member of the Content Expert Faculty of the CSO Executive Council.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies