Blog
WINNING TACTICS FOR SECURITY AWARENESS INNOVATIONS via EXPERIENCE (1 of 2)
By Samuel Rugi , an MSc Information technology (Security), Certified Information Security Professional (CISSP), Certified Information Security Management (CISM), Cybersecurity Mentor at the Cyversity Organization and a Co-Chair Leadership LaunchPad at Technology Association of Oregon.
Security awareness is becoming a hot potato for most of us in the cybersecurity sector, within our organizations, local and global communities. I have spent considerable time studying and working on this technical area as part of my duties while securing and championing best practices and behavioral change within various organizations.
While this is not to claim that I am a distinguished industry expert in communication strategies, training like CISSP and my experience have led to success in my career. I believe these lessons can be beneficial to others and may be a source to benchmark or gather knowledge/best practices with the primary objective of provoking critical thinking in this domain.
Security Best Practices from an InfoSec Specialist Lens
Weekly Security Tips
Consider about 50 – 75 words, share with the Human Resources or Communication department for vetting and distribution with the broader organization in weekly newsletters.
- Pick trending security topics from the global, national, local communities, industries or other interrelated organizations.
- Gather open-source security intelligence from social media handles but, be cautious about the authenticity and credibility of the source.
- Tailor the message to the security needs of the organization.
Monthly Security Newsletters Suggestions
Estimated Timeline: At least two weeks to draft, the third week for review and amendments, final week for vetting through the top security management team or any other designated team and publishing. A good article length ranges from about 450 to a max of 550 words for ease of reading.
- Newsletters require well-thought content, issues or subjects picked from weekly security trending news, mainly from the incident responses analyzed over the last 30 days.
- For effectiveness and tangible impact on the security program, rely on key risk indicators collected from security tools, tickets or phishing emails reported.
- Gather free industry threat intelligence from vendors, affiliate security partners, and industry security fellows’ papers.
- Carefully document, keeping in mind intuitive communicators, addressing and topping the essays with an outstanding summary.
- Structure and evaluate to fit the needs of the analytical communicators who are data-driven.
- Include supporting visual pieces of evidence, procedures or steps to cater for functional communicators.
- Lastly, use tactful language tailored to convey the message to personal communicators, with examples from uniquely personal experiences. Be innovative and apply diplomatic business etiquette.
Lunch and Learn Recommendations
Through experience, weekly and monthly articles effectively pass security messages and awareness for behavioral change. But It’s lunch and learns that provides the best platform for gathering considerable feedback while assessing the security impact when people come out on virtual or in-person meetings to participate, ask questions and offer suggestions.
- At the Lunch and Learn events, the security team needs to pay extra attention, listen and take notes from the coworkers expressing their technology and security challenges and experiences.
- Collect feedback, analyze and use it as the input to guide fine-tuning security controls or for future articles or lunch and learn topics.
- If you coordinate security communications with other teams, i.e., via IT, Communications, HR or Legal teams, allow them to demo the new technologies or processes in place as security “ninjas” top up on how they are helping to keep it close-knit and safe. This creates a security-driven symbiotic relationship and a cohesive wider team.
Annual Cybersecurity Month Leads
As a Champion past five years, I have kept this one activity close to my chest with annual participation.
- Subscribing your organization and yourself to a global or a national championship program provides a great platform to learn emerging security trends.
- Meet industry experts, collaborate with the broader security community and get free awareness resources substantial cost savings on awareness and training programs.
- Draft proclamations for the executive leadership to sign off, support and endorse the campaign, which set the right tone across the organization.
Annual Privacy Day (28th February) Tips
While this is pretty new, I encourage colleagues to organize lunch and learn.
- You can customize presentations with personal thoughts evoking privacy topics and scaling it on how we envision safeguarding the organization’s and customers’ data confidentiality/privacy.
- A simulated scavenger hunt game is handy for an interactive activity with a customized gift for the winning team.
Communication Models/Flavours
To reach out to all security stakeholders at a minimum cost, work with the organization’s management to ingrain security communications into the backbone of the organization’s communication machinery. These attributes may help employees and customers be on board, and positively impact your call for action at all levels of the organization.