Asked what he thinks the "killer benefit" of awareness benefits is, Halvacs alludes to a core CSO challenge: getting key decision-makers to respond appropriately in a potentially volatile situation. "It's knowing when to pick up the phone when they get in trouble, from the very first, and not screwing something up and shoving it under the rug. [It's getting] the light to come on when they're in the middle of the situation," before it spirals into crisis. "That, I think, is the biggest bang for the buck," he says.
Halvacs says good awareness programs can help drive home to senior management the ROI of proactive security initiatives. He cites background screening and drug testing. "Those are real numbers, you know, because the government says [drug abuse costs a business] anywhere from $10,000 to $12,000 per employee" annually (in health claims, sick time, workers' comp and on-the-job injuries). Adding drug testing to preemployment background screenings can save a business $1 million a year for every 100 high-risk applicants it doesn't hire. "You can really show the ROI, or cost avoidance," Halvacs says.
So, how would he advise someone just starting an awareness program? "I would definitely do some due diligence and work at the high level—the VP, senior VP level. Ask what are the needs in their organizations, what's keeping them up at night. I think, more than anything, it's building relationships at the top," he says. "Really, the key word is partnership."
Getting Started
Cherry Delaney?Coordinator of Security Awareness and Outreach, Purdue University
Awareness promotion strategy?Divide and conquer unruly constituencies
When launching a security awareness program, you may find it hard to know where to begin and harder still to stick to your strategic plan—all that flagrant lack of awareness crying out for remediation! Cherry Delaney, Purdue University's coordinator of security awareness and outreach, faces the tug of competing priorities on a daily basis.
Delaney, a 10-year IT veteran who is just eight months down the road toward creating the school's first cybersecurity awareness program, is a lone ranger patrolling an uneasy range. "There's just one of me," she says. And Purdue, based in West Lafayette, Ind., is like other universities, committed to traditions of open inquiry and free-flowing information.
Academic culture is thus a double-edged sword that presents special challenges to a security program. "That is a problem. We do really try to stay open," acknowledges Delaney. "And so hackers, or whoever, are hitting us harder than [they do] corporate sites, because we don't nail things down; we don't shut down as much as [businesses] do to control things."
Add to that the regular turnover of significant percentages of the user community—students, staff and faculty who come and go with each new semester—and you have awareness issues of extra complexity.
As with any unbegun awareness program, there's no wrong time to start one. But, in Purdue's case, why now? "We had a breach of Social Security numbers last year," says Delaney, "and that really heightened [the interest in improving awareness]. Making national headlines is not a good thing."
That Purdue breach, along with other well-publicized data mishaps in both government and the private sector, got people tuned in much more urgently to the fact that Purdue "needed to have some kind of marketing communication and training in awareness." Moreover, Indiana, like many other states, recently passed legislation governing Social Security disclosure and breach notification, placing new liability on institutions of all kinds.
Delaney's launch strategy has been to address the university's three blocks of users—staff, students and faculty—one constituency at a time. She chose to start with university staff, in part because they, more than students or faculty, would be subject to the state's new data-handling requirements. Plus, after nine years spent in Purdue's IT function, Delaney is well-acquainted and has influence with that group. "It's not that I'm doing nothing for students and faculty," she says. It's just that she's trying to remain focused on first things first and not allow herself to be run in too many directions.
In getting the word out about security priorities, Delaney relies on departmental luncheons, webcasts, podcasts and low-cost campuswide publicity (pitching security-related stories to The Exponent, Purdue's daily student newspaper, and Inside Purdue, a publication for faculty and staff). In October she held a staffwide Security Awareness Month, featuring daylong presentations on the most urgent data security issues: encryption, data security on the road and working from home, information classification and the operational requirements of the new state regulations.
One challenge is communicating with her various audiences in terms that will resonate with each. "You have different levels of expertise you have to talk to," she says. And not only expertise but frames of reference. "I mean, not as many staff people are going to be on Facebook.com [a social networking site popular with collegians] as students. So you've got different issues, depending on the demographics of the people you're trying to reach," she says.
Faculty members represent perhaps the toughest nut to crack. They enjoy plenty of authority and autonomy. For that reason they are a little like lawyers or physicians—two famously tough groups to domesticate to habits of right behavior that may seem in conflict with their sense of mission. That reality makes it clear why Delaney might want to get her game face on by tuning up with the friendly staff.?
Lew McCreary, CSO's former editor in chief, is a member of the Content Expert Faculty of the CSO Executive Council.