When we were asked to keynote a recent CSO event, it was a pleasant surprise that the top concern of the CSOs was "security culture." From performing many security assessments and penetration tests, it is sadly obvious that even the best technical security efforts will fail if their company has a weak security culture. It is heartwarming that CSOs are now moving past straight technological solutions and moving towards instilling a strong security culture as well.
To determine the components of a truly successful security awareness program, we performed a study to identify critical success factors for building one. We interviewed security awareness practitioners at Fortune 500 companies and surveyed the security staff and general employees at the companies. Additionally, we validated the results and gathered additional information at a security executive event in the United Kingdom with more than 150 security executives participating.
While there are many more lessons to be learned, what follows are the 7 most notable habits we found that lead to successful security awareness programs.
Counterpoint: "Why you shouldn't train employees for security awareness," by Dave Aitel of Immunity Inc.
1. C-Level support
Awareness programs that obtain C-level support are more successful. This support inevitably leads to more freedom, larger budgets and support from other departments. Anyone responsible for running a security awareness program should first at least attempt to obtain strong support, before focusing on anything else.
Yes, getting this level of support can be difficult, but our research also found best practices on how to obtain this support. Successful efforts frequently highlighted that security awareness was required for compliance and that awareness efforts provided a return on investment that will inevitably save the company money. They also created special materials specifically for upper-management, such as newsletters and short articles that highlighted relevant news and tips that were specific to executives.
2. Partnering with key departments
Successful awareness programs found a way to involve other departments, such as legal, compliance, human resources, marketing, privacy and physical security. While it is easier to get this support if you have the C-level support, these departments frequently have mutual interests and might be amenable to providing additional resources, such as funding or distribution. Frequently, these departments can make security awareness efforts mandatory. For example, the legal and compliance departments carry a great deal of influence throughout the organization and can make security awareness a required component of other processes, such as new hire indoctrination.
To obtain this support, you might have find that you have to incorporate the needs of the cooperating departments with the general security awareness efforts. For example, you might suggest that you can use a security awareness newsletter to include compliance content. If it gets you the support you need, the effort is definitely worth the trouble.
Creativity is a must. While a large budget helps, companies with a small security awareness budget have still been able to establish successful programs. Creativity and enthusiasm can make up for a small budget. An example of creativity includes the use of a security cube during a company event. The security awareness department set up a mock cubicle, with 10 common security violations, in the main hallway. Employees who could identify all 10 violations were entered in a prize drawing. Another effort included giving out boxes of chocolates that included the security policy document, on Valentines Day. Employees reported that they felt compelled to read the document, because they liked the chocolate. These are just examples, but clearly there are an unlimited number of options.
One of the key factors in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiated new awareness efforts. Without having a baseline, it is hard to demonstrate that your efforts had more than assumed success.
The metrics can include surveys on attitudes. They could also include the use of phishing simulation tools to include pre and post awareness training. You can also examine the number of security related incidents, such as attempted visits to banned websites. When you can show measurable improvements in any aspect of security, you can justify your program, and obtain additional funding and support. Just about every department in a company has to prove their value, and security should not expect to be an exception.
5. Department of how
Awareness efforts that focus on how to accomplish actions are more successful than those that focus on telling people that they should not be doing things. Clearly there are actions that should not be allowed, but those should be the exceptions and not the rule. For example, it is not realistic that you can tell employees that they should not be on social networks, but it would be useful to them if you tell them how they can be on social networks safely.
6. 90-day plans
Most security awareness programs follow a one-year plan. Those plans also attempt to cover one topic a month. This is ineffective, as it does not reinforce knowledge, and does not allow for feedback or to account for ongoing events. Programs that relied on 90 Day plans, and reevaluated the program and its goals every 90 Days, are the most effective. The most successful program focuses on 3 topics simultaneously that are reinforced regularly throughout the 90 Days. Every 90 days, the program is reevaluated to determine what topics need to be addressed moving forward.
7. Multimodal awareness materials
The most successful programs are not only creative; they rely on many forms of awareness materials. While there is a potential place for learning management system training modules, too many programs rely on them completely as an awareness program. Successful programs incorporate a variety of awareness tools. This includes newsletters, posters, games, newsfeeds, blogs, phishing simulation, etc. The most participative efforts appear to have the most success.
Another issue to consider is that materials should attempt to connect with different generations. For example, some videos seem to connect best to young males. You then need to use other videos or materials that connect with older employees and females. There is definitely no such thing as "One Size" security awareness.
There were many more habits that led to either success or failure of security awareness programs, but these are a starting point as to where you should begin. The big takeaway is that habits drive security culture, and there are no technologies that will ever make up for poor security culture. Awareness programs, when properly executed, provide knowledge that instills behavior. Security should definitely be common sense, but you cannot have common sense without providing common knowledge.
Anyone interested in downloading the full research report can do so at securementem.com.