How to Start Implementing a Security Awareness Program
As a disclaimer before we go into specific detail, let me first point out that there is no "one size fits all" solution to implementing this type of program. Each program will need to be tailored to fit within your company culture and to merge well with the work habits of the other employees. If your new security policies introduce unnecessary process, are poorly outlined/conveyed, or make people less efficient it will be rejected.
First and foremost when going about putting together your SA program, before you do anything make sure you have executive approval for your program. Put a presentation together which outlines some of the things that we have spoken about here in the past month and make a good business case for why your company needs to prioritize SA as an important company initiative. If you go forward without this approval from the beginning you will end up either redoing a lot of work to make the program fit executive direction or it will be shot down outright.
The next item that will ensure the success of your program is the development of meaningful security metrics. Once you have the program in place, it will be important to be able to justify its successes (and also to point out what areas still need work). Create metrics that are easily measurable, preferably automatable, and have an achievable target. Once that target is consistently reached, change your focus and start collecting metrics on other areas that need improvement. The goal of a successful metrics program should be agile enough to be able to change what is being tracked so that you are reporting on areas that are currently being improved upon. If all of your metrics always show 100%, then they are not showing continual process improvement. They are only showing what has already been successfully implemented across the company.
Be sure to have regular (Monthly? Quarterly? Whatever works best for you) checkpoints with internal stakeholders to determine if they have any needs in supporting the mission of your SA program. If they need additional tools or training, be sure to provide them. If other managers do not feel as if they can implement your program successfully within their group for whatever reason, they likely will not do it.
Always remember that you need complete buy in across the organization in order for your program to succeed. That isn't just at the manager level. All employees need to buy in. It only takes one person to not participate and that person can be responsible for a major security leak or information breach.
The most important thing to remember is that security is a journey, not a destination. Continual communication and education will be necessary in order to assure the continued success of your program and to make sure that it remains a high priority for everyone.
Best of luck implementing your own SA programs. It can be one of the most difficult, yet also one of the most rewarding tasks to undertake as a security professional as you see your efforts begin to bear fruit. Missteps along the way are certainly not failures, rather opportunities to learn and grow!
No comments found.
