Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How To Promote Security Awareness In Your Company


Published on

  • Be the first to comment

How To Promote Security Awareness In Your Company

  1. 1. Be secure, be aware. Be Security Aware. PROMOTING SECURITY AWARENESS AT YOUR COMPANY 11/22/2009 © 2009 InfoSecurityLab, Inc.
  2. 2. So you want your company to be security aware… I OBJECTIVES The Objections II What the Professionals Say III What You Can Do IV Delivering Security Awareness V Questions VI © 2009 InfoSecurityLab, Inc.
  3. 3. SO Security Awareness is the a process of making people aware of the YOU WANT YOUR COMPANY TO BE SECURITY risks to the things they value, and how they can safeguard against those risks. You Know:  Awareness means people will be more secure.  Awareness requires time and money. You Have Tried:  Policy  Edicts  Emails  Persuading Your Manager AWARE… How do you convince people to listen? How do you make Security Awareness important? © 2009 InfoSecurityLab, Inc.
  4. 4. OBJECTIONS Typical Objections  It is too expensive.  It takes too much time. Self Inflicted Problems  Our employees do not pay attention to it.  Our employees do not care about security.  Security Awareness Programs don’t work. The Odd Objections - “Where did that come from?”  We’re not ready for Security Awareness.  Security is not relevant to our business. © 2009 InfoSecurityLab, Inc.
  5. 5. Quotes WHAT THE PROFESSIONALS SAY “ As strategists, we can apply all manor of software/hardware technology to control and safeguard the activity on our information infrastructure. While the most important, and at the same time weakest, link in the security chain are people, there are no (publicly acceptable anyway) hardware modifications available to control human behaviour. Awareness, however, is the wet-ware solution that we can install in the human brain that offers the only chance to strengthen this link. ” - Tom Giangreco, Director of Information Security, SchoolsFirst Federal Credit Union “ Information security can only be successful if it is seen as an integral part of the day-to-day work responsibilities, and it is therefore necessary that everybody in the organization understands the importance of information security, employees as well as top management. The long-term success of an information security program can only be effective if there is awareness and support throughout the organization. Security awareness and training controls have been identified as a mandatory part of an information security management system, and sponsorship for information security needs to start at the top .” - Angelika Plate, Owner AEXIS Security Consultants, Secretary of ISO/IEC JTC1 SC 27 "IT Security Techniques", Editor of ISO 27001, Co-editor of ISO/IEC 27002 and 27006. “ There is probably no more effective countermeasure, dollar for dollar, than a good security awareness program.” “Although it is important for an awareness program to ensure that the right things are covered, the critical success factor for an awareness program is the delivery methods. The advice must be simple. It must be made personal…Advice that is realistic, understandable, actionable, and repeated is useful. ” - Ira Winkler, “Spies Among Us”, President Information Security Advisors Group, author of “Spies Among Us”, “Zen and the Art of Information Security”, and “Corporate Espionage” “ There is only one way to keep your product plans safe and that is by having a trained, aware, and a conscientious workforce. This involves training on the policies and procedures, but also – and probably even more important – an ongoing awareness program. ” - Kevin Mitnick, “Art of Deception”, founder of Mitnick Security Consulting, author of “The Art of Intrusion” and “The Art of Deception” © 2009 InfoSecurityLab, Inc.
  6. 6. A Change in Tactics WHAT YOU CAN DO Do not use Fear, Uncertainty and Doubt. F.U.D. Fear – is not security awareness. If we are aware of risks and how to protect against them we have little reason to be afraid. Uncertainty – is not security awareness. People who are trained how to handle problems are certain of what to do. Doubt – is not security awareness. People who are trained, and kept up to date do not doubt their skills, and know what to do. © 2009 InfoSecurityLab, Inc.
  7. 7. A Change in Tactics WHAT YOU CAN DO  Promote a security as a cultural and behavioural change.  Focus on changing long term patterns and attitudes about security.  Focus on security enabling people, not as restricting rules.  Make security something everyone can understand and act on.  Show how security applies to all parts of life - at work and home. © 2009 InfoSecurityLab, Inc.
  8. 8. Make It Relevant Make it Easy to Understand WHAT MAKES SECURITY AWARENESS SUCCESSFUL? • It must relate to a person’s life. • It must be explained in • It must relate to a person’s job. words and terms that anyone can understand. • It must show how security can improve things they value (job security, ability to perform, make • It must include actions that money & be rewarded) anyone can perform. • It must include ideas and situations that people can relate to. Empower People Make it Fun • It must make people feel they • It must be enjoyable to are important. participate in. • It must make people feel that • It must provide for growth and security is for them and not learning. against them. • It must help people feel like • It must make people feel that they are helping everyone security makes their job easier. around them. • It must make people think and laugh. © 2009 InfoSecurityLab, Inc.
  9. 9. Answer the Challenge OVERCOME THOSE OBJECTIONS  It is too expensive. Choose inexpensive solutions, even homegrown. Make them simple, and demonstrate them to management. Seeing is believing. • Time and money spent is less than for fixing a breach. • The money that is spent on various security tools far exceeds the money that is required to teach employees to not open email attachments, not share usernames and passwords, and to follow proper procedures.  It takes too much time. Do not make it a graduate course in security. Make it simple, useful, short, and fun. Time is wasted when the activity is not valuable.  Our employees will not pay attention to it, or do not care about security. Security Awareness Programs don’t work. Make the program useful, relevant, and not just about work. Employees will pay attention when it benefits them. Give them valuable lessons they can use anywhere.  We are not ready for Security Awareness. Security is not relevant to our business. Ask them if security at home, or while shopping online, or while travelling would be useful to employees. You get a chance to talk about security, and get some of your message included. © 2009 InfoSecurityLab, Inc.
  10. 10. Match the Medium to the Audience DELIVERING SECURITY AWARENESS Security Awareness is a Marketing issue – how to present and sell the message. Consider:  How to make security appealing to employees and their values  How to communicate across the entire company  What mediums are a good fit for the company Some Mediums You Can Use:  E-Learning  Classroom Training  Newsletters  Emails  Posters  Web Portals  Seasonal Messages  Contests  Lunch-and-Learns © 2009 InfoSecurityLab, Inc.
  11. 11. QUESTIONS Our mission: “ Provide Security Awareness solutions that are meaningful to every employee. ” Remember: Be secure, be aware. Be Security Aware. Daniel Blander, CISM, CISSP © 2009 InfoSecurityLab, Inc.