The first step towards creating a successful security awareness program is to recognize that this is not a project with a defined timeline and an expected completion date, but is instead a development of organizational culture.
Akin to “safety first” cultures that develop in manufacturing and other heavy industries, there are large economic and regulatory pressures being exerted on businesses now to develop and maintain IT security awareness. Even though employees’ and clients’ physical health may not be at risk from cyber security attacks, the threat to businesses can be as severe or more so.
Similarly, the measurements of success are not just found in reduced counts of accidents or exposures but in the base line attitudes and practices of employees as they perform their business functions.
It’s All About the People & Its Driven From The Top
A vast number of tools and providers are available to help implement security awareness platforms and yet all of them can fail if the focus shifts to simply installing the tools or, even worse, performing to their metrics.
Much like “teaching to the test,” companies run the risk of training their employees to satisfy the metrics without developing any true awareness. Leadership needs to step forward in the initial phase of developing a program to clearly and consistently deliver the message that IT security awareness is an integral job function for the entire organization.
The technologies and vendors will certainly be critical for any implementation; however, it needs to be made clear that these tools are the yardstick by which success can be measured, not the indication of success itself.
The reality is that most organizations will or are attempting to evolve their IT security awareness after many other business rules have been defined and in every case, this process will be ancillary to the main goal of the business (delivering goods and/or services while returning a profit to investors/owners). Thus, budget constraints, process changes and other impediments are sure to crop up.
One of the great services management can provide is to avoid the blame game. IT systems continually increase in complexity, as does the threat surface looking to attack and exploit them. As the primary goal of IT is to provide the tools that allow the business to deliver those goods and/or services at a profit, chances are vulnerabilities exist in an organization’s networks and systems.
Remediation of these issues is obviously a concern, however, the focus of any IT security awareness program should be the development of policies and processes to avoid repeating these exposures in the future.
Essentially, the idea is to not make the same mistake twice. If management develops security awareness as a culture and not a scorecard, success will be much more likely.
You Can’t Miss the Shots You Don’t Take
It can be argued that building a truly secure IT platform is fairly simple – just lock it in a room, and never plug it into anything else!
There is always the inherent balance between function and protection, thus IT security will always be a practice of risk management. When implementing an integrated IT security awareness program, you should strive to develop a corporate mindset that considers the security implications of desired IT changes.
The individual issue may be a user wanting to view a .PDF file from a stranger, an AppDev employee asking for specific network connectivity, a vendor asking for an extranet connection or something else. The objective is not to have a laundry list of yes/no responses, but to instill at all levels of the organization a mindset that asks:
“What are the potential risks and benefits of this action?”
From this approach, the various IT security tools and approaches provide the visibility to answer that underlying question and the means by which decisions can be monitored to see if the evolving landscape changes that risk/reward scenario.
About the Author: A graduate of Georgia State University with a Master’s Degree in Computer Information Systems, Keith has over a decade of experience in network design and deployment, telecommunications and multi-platform systems administration. Keith joined the ReliaQuest team in March 2014 and works with the RedSeal network infrastructure security platform and SIEM integration, primarily with Splunk and ArcSight.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.