Blog
WINNING TACTICS FOR SECURITY AWARENESS INNOVATIONS via EXPERIENCE (2 of 2)
By Samuel Rugi , an MSc Information technology (Security), Certified Information Security Professional (CISSP), Certified Information Security Management (CISM), Cybersecurity Mentor at the Cyversity Organization and a Co-Chair Leadership LaunchPad at Technology Association of Oregon.
Key Items to Consider for an Impactful Security Awareness Agenda
1 – Identify and understand security drivers and what they mean to the business.
- Confidentiality
- Integrity
- Availability
2 – Interlink those critical drivers with the following security themes.
- People
- Technology
- Data and Privacy
- Processes
3 – Understand the business environment.
- Threats
- Customers
- Public Community (Local, Regional, Continental and Global)
- Governance Structures
- Political, Social, Religious and Economic Triggers
Tools and Resources to Consider to be Successful and Keep Winning
- Governance Body: While it’s easy to do a lot of communication in an organization, it can be an uphill task with slim chances of success if you don’t have the blessing of a security governance body at the executive leadership. Most organizations call this the Cybersecurity Committee (SC) or Cybersecurity Boards. If you don’t have one, influence and get one. It’s a critical body in the security programs while determining industry frameworks and standards to emulate and the impact on the business and their value addition.
- Security Policies: Policies, Standards, Procedures and Guidelines – This tool comes from your security program, which addresses the security strategy for the organization; make sure the communication strategy is well articulated or in line with the governance tools. They also need to be timely revised as per your organization’s business requirements and cyber risk management strategy.
- Security Metrics and Reports: Collect KPI and KRI and report to the governance body. This help in making sure you are hitting the maturity milestone that you have set up, so they need to be storytelling, actionable, on time, and consistent. KPI would come from technology and program features, while KRI would mainly come from data gathered from the effectiveness of security controls and tools.
- Security Data Context: Collecting data and information and presenting it is exceptional. However, the security value and return on investment are only identifiable through the in-house Cyber/information security body of Knowledge from deep security analysis and Cyber/Security Wisdom ripening, as an organization matures. Both provide the executive with a deep security check, the organization with insights, as security evolves and responds to new challenges daily.
- Affiliation: The organization and security personnel need to join Cybersecurity industry-recognized bodies like (ISC)², where one can learn or gather more intelligence, free tools and resource to improve your program and security posture. Internal affiliation is also essential.
- Highly Skilled Cybersecurity Professional: Indeed, one needs an excellent formal education, i.e., a bachelor’ or Master’s degree or at least undertaking specialized training in an institution of higher learning is an advantage. The academic skillsets required to succeed in driving change within a homogeneous business environment facing a competitive business terrain.
- Formal Education Attributes: Combined with experience helps one to develop intellectual judgment, independent analytical and security mindset, equipped with skills to collect, present statistics and trends, understand business acumen and tools and how to tailor communication from a security perspective to fit into an evolving business requirement. Today, it is good to remember that most organizations’ decisions are made or driven by highly successful academic intellects; one needs them to succeed effortlessly with a zero-dollar investment.
- Develop Security Communication Strategy: Like any other communication strategy, it’s vital to have a security-driven communication strategy highlighting stakeholders’ key roles and responsibilities. The communication lifecycle should keep track of the maturity level of the program.
- Champions: Influencing good behaviors requires dedicated security champions. These are individuals who necessarily don’t work in a security team but have a great interest in advocating for security matters within their business unit. Empower them with resources, create time to collaborate, brainstorm with them, and ensure the leadership recognizes their effort.
- Communication Tools/Platform: Established a centralized location where all security resources are shared. And accessible to all the parties you wish to reach. The Communication and Human resources team may already have one that you could leverage and save cost.
- Training and Benchmarks: Attend tailored security or communication training to advance your staff knowledge in this domain. Learn from specialized industry experts and keep track of your trends, check on how others are responding to cyber challenges. It’s information available for free or open-source resource yet a powerful tool to help develop your strategies. Industry conferences and meetups provide fantastic resources to test new tools or gather new findings as the cybersecurity industry evolves.
- Budget: As the organization’s security awareness program starts taking shape and you have supporting evidence for the maturity level, it is probably a good time to start budgeting for tailored security training and championing efforts in the annual, quarterly or multi-year strategic plan.