SANS has just issued their 2017 Security Awareness Report. In it, they identified five levels of security awareness programs in organizations. Which level is your organization at?
Non-Existent: A program doesn’t exist. Employees have no idea that they are a target, that their actions have a direct impact to the security of the organization, don’t know or understand organization policies, and easily fall victim to attacks.
Compliance Focused: The program is designed primarily to meet specific compliance or audit requirements. Training is limited to annual or ad-hoc basis. Employees are unsure of organizational policies and/or their role in protecting their organization’s informational assets.
Promoting Awareness & Behavior Change: The program identifies the training topics that have the greatest impact in supporting the organization’s mission and focuses on those key topics. The program goes beyond just annual training and includes continual reinforcement throughout the year. The content is communicated in an engaging and positive manner that encourages behavior change at work and at home. As a result, people understand and follow organization policies and actively recognize, prevent, and report incidents.
Long-Term Sustainment & Culture Change: The program has the processes, resources, and leadership support in place for a long-term life cycle, including, at a minimum, an annual review and update of the program. Thus, the program and cyber security is an established part of the organization’s culture.
Robust Metrics Framework: The program has a robust metrics framework to track progress and measure impact. Consequently, the program is continuously improving and able to demonstrate return on investment. Important to Note: When we say “metrics framework”, it doesn’t imply that the methods of measurement are limited to the last stage of the model. We believe that metrics are an important part of every stage. This stage simply reinforces that to truly have a mature program, you must not only be changing behavior and culture, but have the metrics framework in place to demonstrate that change.
The report also identified the primary challenges for security officers in implementing an effective awareness program:
Time and Effective Communication–to their employees as well as to their leadership on the need for security.
Can I tell you an easy and inexpensive way to deal with these two challenges?
Don’t go it alone and try to do it all yourself.
Schedule regular, on-going DICE Security Awareness briefings for your organization.
Let me communicate on your behalf for the need for security. I have nearly 30 years of experience doing so and you know how I can really shake-up and wake-up an audience.
Use me as your secret weapon!
Contact me today for more information.