Security Awareness Programs: Now Hear This!

Awareness programs are the cheapest way to prevent costly problems, but the security message can be easy to ignore. CSOs and CISOs share their strategies for spreading the good word.

So, how would he advise someone just starting an awareness program? "I would definitely do some due diligence and work at the high level—the VP, senior VP level. Ask what are the needs in their organizations, what's keeping them up at night. I think, more than anything, it's building relationships at the top," he says. "Really, the key word is partnership."

Getting Started

Cherry Delaney?Coordinator of Security Awareness and Outreach, Purdue University

Awareness promotion strategy?Divide and conquer unruly constituencies

When launching a security awareness program, you may find it hard to know where to begin and harder still to stick to your strategic plan—all that flagrant lack of awareness crying out for remediation! Cherry Delaney, Purdue University's coordinator of security awareness and outreach, faces the tug of competing priorities on a daily basis.

Delaney, a 10-year IT veteran who is just eight months down the road toward creating the school's first cybersecurity awareness program, is a lone ranger patrolling an uneasy range. "There's just one of me," she says. And Purdue, based in West Lafayette, Ind., is like other universities, committed to traditions of open inquiry and free-flowing information.

Academic culture is thus a double-edged sword that presents special challenges to a security program. "That is a problem. We do really try to stay open," acknowledges Delaney. "And so hackers, or whoever, are hitting us harder than [they do] corporate sites, because we don't nail things down; we don't shut down as much as [businesses] do to control things."

Add to that the regular turnover of significant percentages of the user community—students, staff and faculty who come and go with each new semester—and you have awareness issues of extra complexity.

As with any unbegun awareness program, there's no wrong time to start one. But, in Purdue's case, why now? "We had a breach of Social Security numbers last year," says Delaney, "and that really heightened [the interest in improving awareness]. Making national headlines is not a good thing."

That Purdue breach, along with other well-publicized data mishaps in both government and the private sector, got people tuned in much more urgently to the fact that Purdue "needed to have some kind of marketing communication and training in awareness." Moreover, Indiana, like many other states, recently passed legislation governing Social Security disclosure and breach notification, placing new liability on institutions of all kinds.

Delaney's launch strategy has been to address the university's three blocks of users—staff, students and faculty—one constituency at a time. She chose to start with university staff, in part because they, more than students or faculty, would be subject to the state's new data-handling requirements. Plus, after nine years spent in Purdue's IT function, Delaney is well-acquainted and has influence with that group. "It's not that I'm doing nothing for students and faculty," she says. It's just that she's trying to remain focused on first things first and not allow herself to be run in too many directions.