The 7 elements of a successful security awareness program
A list of action items for CSOs looking to bolster their security awareness programs.
By Ira Winkler and Samantha Manke
May 01, 2013 — CSO —
When we were asked to keynote a recent CSO event, it was a pleasant surprise that the top concern of the CSOs was "security culture." From performing many security assessments and penetration tests, it is sadly obvious that even the best technical security efforts will fail if their company has a weak security culture. It is heartwarming that CSOs are now moving past straight technological solutions and moving towards instilling a strong security culture as well.
To determine the components of a truly successful security awareness program, we performed a study to identify critical success factors for building one. We interviewed security awareness practitioners at Fortune 500 companies and surveyed the security staff and general employees at the companies. Additionally, we validated the results and gathered additional information at a security executive event in the United Kingdom with more than 150 security executives participating.
While there are many more lessons to be learned, what follows are the 7 most notable habits we found that lead to successful security awareness programs.
Counterpoint: "Why you shouldn't train employees for security awareness," by Dave Aitel of Immunity Inc.
1. C-Level support
Awareness programs that obtain C-level support are more successful. This support inevitably leads to more freedom, larger budgets and support from other departments. Anyone responsible for running a security awareness program should first at least attempt to obtain strong support, before focusing on anything else.
Yes, getting this level of support can be difficult, but our research also found best practices on how to obtain this support. Successful efforts frequently highlighted that security awareness was required for compliance and that awareness efforts provided a return on investment that will inevitably save the company money. They also created special materials specifically for upper-management, such as newsletters and short articles that highlighted relevant news and tips that were specific to executives.
2. Partnering with key departments
Successful awareness programs found a way to involve other departments, such as legal, compliance, human resources, marketing, privacy and physical security. While it is easier to get this support if you have the C-level support, these departments frequently have mutual interests and might be amenable to providing additional resources, such as funding or distribution. Frequently, these departments can make security awareness efforts mandatory. For example, the legal and compliance departments carry a great deal of influence throughout the organization and can make security awareness a required component of other processes, such as new hire indoctrination.
To obtain this support, you might have find that you have to incorporate the needs of the cooperating departments with the general security awareness efforts. For example, you might suggest that you can use a security awareness newsletter to include compliance content. If it gets you the support you need, the effort is definitely worth the trouble.