Security Awareness Programs: Now Hear This!

Awareness programs are the cheapest way to prevent costly problems, but the security message can be easy to ignore. CSOs and CISOs share their strategies for spreading the good word.

(There's this weird double-negative thing at work here: A fake phishing e-mail goes out intended to fake-fool users by sending them to a fake-fake website where they end up being not really entrapped.)

According to Pelgrin, 15 percent of the 10,000 recipients fell prey to the simulated attack. Users deemed to have failed were sent to a brief online tutorial he authored on how to recognize a phishing attack; they were also shown a video on phishing from Microsoft and then presented with a quiz inviting them to view 10 websites and decide which were genuine and which were fake. (The quiz is available from Mail Frontier at www.sonicwall.com/phishing.) "I wanted this to be a very warm and fuzzy approach to learning," Pelgrin says.

Besides his enthusiasm for demonstrative learning, Pelgrin also extends his awareness work beyond New York to other states and government agencies, both through informal networking activities and through his chairing of the Multi-State ISAC (www.msisac.org), which hosts a Cyber Security Awareness Toolkit and other resources.

Building Key Alliances

Greg Halvacs?VP and CSO, Cardinal Health

Awareness promotion strategy?Get decision-makers involved

Greg Halvacs is a relationship builder. Just about every good thing that happens for Halvacs' security program grows out of the strong connections he's made with key people in the business. For example, when he headed up global security at Kraft (he joined Cardinal in April), he says, "I built strong relationships with quality [control]. Because nothing got done at Kraft unless there was a quality process [involved]. So getting the senior vice president of global quality on board and sharing, like on issues around the whole area of food protection, was a big win."

But Halvacs doesn't stop with top functional executives; he also works to create deep linkages across the entire organization. At Kraft, which has operations in 152 countries and at hundreds of sites, Halvacs identified and recruited between 300 and 400 "site coordinators," whom he empowered to be his local emissaries. (Note: Halvacs is a member of the CSO Executive Council.)

"We trained them on the basic elements, the basic X's and O's of Security 101," he says. "Because what I've found is that you'll never have a large [security] organization, so you have to empower the field and show them what they can do to prevent things." For example, while at Kraft he published a simplified field guide on how to handle investigations without needing someone from global security to parachute in (though, of course, there was a soft-sell bailout: "And if you need help, call us").