Smart Factors: The Road to Success
There is a lot of information about how to set up an awareness program out there, but I also propose the following smart factors to be considered when building a human firewall. These tasks are less tangible, more people-oriented, and (for a few) longer to achieve. But as the adage says, the only way to harvest in the fall is to seed in the spring.
- Change "Default=allow": Communicate to targeted
staff that implementing systems or programs that are wide open is a legacy of
behavior that is not efficient in the long term. It is always easier, cheaper,
and more consistent to built security early into the system as opposed to adding
a security layer on top of an insecure system. If "Default=only allow what
is needed" is implemented, the awareness program will be very light in the
Challenge: This is a deeply ingrained behavior that needs to be changed.
- Work on the fundamentals: You need to communicate a strong
message and you need one on which you can hold on to tightly. Make security
visible to your users to send a clear message and provide them with efficient
tools. As an example, secure the end user devices (and the remote access). This
sends a clear message to the user: "See what effort we put to secure your
data; do not jeopardize this by misconduct!" People talk about
security—yes, we use full disk encryption in our company! Do not ask your
users to use encryption if it takes a Nobel Prize to use the tool.
Challenges: None. Just do it!
- Market your processes: Processes, standards and procedures
are meant to improve the efficiency of the company in its market. They are not
meant to secure assets for their own beauty. Link security to the
company’s business and turn your speech from the security standpoint to
the business standpoint. Do not tell your user what not to do; tell them how to
do it in a secure yet efficient manner. Turn from a showstopper to a solution
provider. Become an agent of change.
Challenge: You have to be involved early in your projects.
- Speak the people’s language: Prior to delivering a
message, you should first seek to understand the audience. Speak the language of
the business and drop the technical talk. There is little chance that your
audience is passionate about information security. They will listen if you speak
in their language.
Challenge: You have to learn to listen and to internalize more basic language.
- Turn root cause analysis into an awareness lesson: Every
incident/group of incidents should be evaluated about whether they should be
part of an awareness message for the whole company to learn from.
Challenge: Often, company representatives want to keep the issues secret because it is easier to have others believe they have a strong system than to admit that they also have weaknesses. However, it is only when a problem hits home that it becomes a part of the employees’ consciousness.
- Train the right people: Although emphasis is often made on
end users, it is important to segment your audience and to address the weakest
Focus on top management because it is this group that will make the decision for tomorrow.
Stress the communication to those who are stakeholders in information systems processes.
Communicate to end users.
Define any other audience of importance to your company, such as a third-party service provider.
Challenge: Multiple efforts for multiple targets means a lot of work!
- Hire an artist: Communication is not binary. Do not try to
build information security awareness content for end users by yourself; you do
not have the right sense of communication! Find someone who has 1) artistic
skills and creativity; 2) good aptitude for understanding your audience; 3) only
a basic knowledge of IT. You know what to do; he/she will know how to
Challenge: A reasonable budget is needed.
- Measure your success: Metrics are an exciting subject,
especially when it comes to information security. Without going into too much
detail, it is generally accepted that the number of classes taken, the average
number of people reading the messages, and so on are the way by which a security
awareness program is measured. You can ask yourself whether this kind of
measurement really meets the objective of minimizing user’s mistakes or
deliberate acts. Security awareness involves changes, and as such is harder to
measure in the short term. I propose not measuring anything at all instead of
measuring things that do not reflect the objectives and that give a false sense
Challenge: You might know this common adage: "You cannot manage what you cannot measure." In other words, it might be hard to sell because management tends to like tangible ways of measuring progress or status, even if most information security metrics today do not reflect a true state or evolution of a company’s level of security.