The first step towards creating a successful security awareness program is to recognise that this is not a project with a defined timeline and an expected completion date, but is instead a development of organisational culture.
Akin to “safety first” cultures that develop in manufacturing and other heavy industries, there are large economic and regulatory pressures being exerted on businesses now to develop and maintain IT security awareness. Even though employees’ and clients’ physical health may not be at risk from cyber security attacks, the threat to businesses can be just as severe and occasionally, more so.
Similarly, the measurements of success are not just found in reduced counts of accidents or exposures but in the base line attitudes and practices of employees as they perform their business functions. It’s all about the people and its driven from the top.
A vast number of tools and providers are available to help implement security awareness platforms and yet all of them can fail if the focus shifts to simply installing the tools or, even worse, performing to their metrics.
Much like “teaching to the test,” companies run the risk of training their employees to satisfy the metrics without developing any true awareness. Leadership needs to step forward in the initial phase of developing a program to clearly and consistently deliver the message that IT security awareness is an integral job function for the entire organisation.
The technologies and vendors will certainly be critical for any implementation; however, it needs to be made clear that these tools are the yardstick by which success can be measured, not the indication of success itself.
The reality is that most organisations will or are attempting to evolve their IT security awareness after many other business rules have been defined and in every case, this process will be ancillary to the main goal of the business (delivering goods and/or services while returning a profit to investors/owners). Thus, budget constraints, process changes and other impediments are sure to crop up.
One of the great services that management can provide is to avoid the blame game. IT systems continually increase in complexity, as does the threat surface looking to attack and exploit them. As the primary goal of IT is to provide the tools that allow the business to deliver those goods and/or services at a profit, chances are vulnerabilities already exist in an organisation’s networks and systems.
Remediation of these issues is obviously a concern, however, the focus of any IT security awareness program should be the development of policies and processes to avoid repeating these exposures in the future.
Essentially, the idea is to not make the same mistake twice. If management develops security awareness as a culture and not a scorecard, success will be much more likely. As the old saying goes, you can’t miss the shots you don’t take!
There is always the inherent balance between function and protection, thus IT security will always be a practice of risk management. When implementing an integrated IT security awareness program, you should strive to develop a corporate mindset that considers the security implications of desired IT changes.
The individual issue may be a user wanting to view a .PDF file from a stranger, an AppDev employee asking for specific network connectivity, a vendor asking for an extranet connection or something else. The objective is not to have an extensive list of yes/no responses, but to instill at all levels of the organisation a mindset that asks:
“What are the potential risks and benefits of this action?”
From this approach, the various IT security tools and approaches provide the visibility to answer that underlying question and the means by which decisions can be monitored to see if the evolving landscape changes that risk/reward scenario.