Information Security Awareness in 7 Simple Steps
by Gary Hinson, IsecT Ltd.
Are you maybe thinking about running a security awareness program but are not quite sure where to start? This paper offers some pragmatic hints and tips on applying the seven key steps of a typical IT procurement process to the selection and launch of an awareness program, based on our experience of occasionally being the ‘driver’ of the process and often the ‘driven’.
We have done our level best to make this a useful generic paper not one that is specific to NoticeBored and leave it to your judgment to adapt the paper to your individual circumstances.
Like others on the NoticeBored website, this paper is a work-in-progress. Thanks to the wonders of the web we will revise it from time to time when further inspiration strikes. If you have a question or suggestion relating to this, please do get in touch. We’d love to hear from you especially if we’ve overlooked something important to you.
1. Specify your requirements
The first step is to establish the need. Think carefully about what you are really trying to achieve through security awareness. Until your objectives are clear, you will have problems planning and organizing the awareness program, let alone evaluating and choosing the products and services you may need to deliver it.
Start perhaps by reviewing our white paper on the value of security awareness, then ask ask yourself some rhetorical questions:
Now try dreaming a bit - picture yourself in the future - try to imagine how things will be when your awareness program is running smoothly. You might like to consider some more complex issues such as:
NIST Special Publication 800-50 is an excellent source of unbiased advice on security awareness. If the issues outlined above have set you thinking, check out SP 800-50 to broaden your horizons and deepen your analysis. If you think like me, you’ll probably draw up a mind-map to help make sense of all the requirements and distinguish the vital, important and nice-to-have elements.
2. Prepare your plan and eval checklist
Awareness programs do not run themselves, especially as many organizations start from a fairly negative position. It will take concerted effort to overcome that inertia, get the organization up to speed on information security, and then keep it rolling. In other words, you need to develop a plan to establish the program and then manage it on an ongoing basis in order to deliver the projected benefits.
If you have a lot of ground to cover (e.g. “the whole of information security”!), we would definitely recommend planning to cover it in discrete sections or chunks spread out over time, and wherever possible framing those chunks in terms that make sense to your target audience/s. Take, for example, the virus problem: anyone who uses an IT system should have a basic understanding of viruses. In explaining about viruses, you may want to mention issues such as configuration management, network/systems access and so on, but you need not go into depth on all of these at the same time. It’s perfectly acceptable to say “We will tell you more about this later” or even “Call the Help Desk or the Information Security Manager for more information”. That way you can maintain a focus on the key messages without overloading people.
An ideal way of crystallizing your thoughts from step 1 above, in parallel with developing your plan and addressing every part of your mind-map, is to prepare a product evaluation checklist containing:
As you work through the checklist, you will in effect be defining and refining your requirements for the program, making it easier to develop the associated plan. That’s why we treat these two activities as one step.
3. Secure funding and management support
Getting your senior management on board with the whole idea of an awareness campaign is, I humbly suggest, by far the most important thing you can achieve in the next few months and will pay big dividends in the long run. How you actually achieve this is down to you: we can only hint at things that have worked for us and our clients.
Depending on the corporation, you may or may not need to make a strong financial case for the investment - some senior managers respond better to gut feel than raw numbers. Our generic business case paper may be a useful straw-man if you need to persuade your management to fund and support the awareness campaign (by all means call us for the editable MS Word version of the paper if that will save time).
Work with your CIO or IT Director, for sure, and ideally other influential managers who have an interest in seeing the awareness program succeed. You will often find friends in functions such as Internal Audit, Regulatory Compliance, Facilities, Legal, Risk Management, HR and Finance. Time spent privately and patiently explaining your plans to these key stakeholders will help (a) refine your plan; (b) identify any concerns; (c) deflect criticism and (d) line them up to support your program openly, especially during the early phases of the delivery. This is YOUR investment in the awareness program!
By the way, it’s often worthwhile getting explicit management support for information security during this process, meaning at least one quote from a senior manager which unequivocally mandates compliance. You may need to draft the actual statement for the CEO but her signature on the bottom will add weight to your awareness program way beyond its apparent value. Believe me, clout works!
During step 3, do not be afraid to continue refining your plan and requirements. All the time, you are thinking about it and learning about the possibilities. Don’t waste that brain energy!
4. Identify and shortlist possible solutions
Now you are in a good position to go looking for what you might need. Start by looking within your own organization for suitable resources, for example in your IT, HR, Internal/Corporate Communications and Training and Development functions. Take advice from colleagues running other internal awareness/training/educational programs (such as Health and Safety or IT training). Simply asking your colleagues for advice is worthwhile as it may help get their support for delivering the program later on, whereas not asking them may inadvertently set them against it.
When it comes to finding public free and commercial offerings, Google is your friend! Search for terms such as “security awareness”, “information security awareness”, “security awareness posters” and so forth. Check out the industry magazines and professional societies for help and advice. Join the Security Awareness Forum on Yahoo and check out the archives. Pretty soon, you will have amassed a list of interesting products and services. Be systematic about the way you gather and assess the information and you will make the remaining steps easier.
Now go through your list of internal and external resources and home-in on those parts which you think may suit your needs. By all means discard the others but be careful - it is easy to overlook useful resources that are badly marketed, incompletely described or simply unknown (often because they are new). If you have the time and energy, it may be safer to shortlist most if not all potential suppliers at this stage and trim the list later. There is no harm in contacting companies for initial information at this stage but be wary of overt sales pitches: the next step works best if you approach it objectively on your terms, not theirs.
5. Evaluate potential solutions
For commercial offerings, this is the conventional tendering sub-process:
Your Procurement people should be falling over themselves to help you with the tendering process, especially if there are substantial sums of money involved. They will want to ensure that the process is fair, objective and entirely above-board. This is their profession: take their advice!
For in-house and free offerings, the shortlisting, evaluation and assessment process is similar. It is entirely possible that you may wish to take advantage of commercial and free awareness materials, for example, and combine them with internal resources. It’s your choice.
6. Select and procure chosen solutions
The end result of step 5 is usually but not always a single winning bidder. Sometimes you may have selected different bidders for separate parts of your requirement, sometimes you will have been unable to decide between a few bidders. Step 6 generally involves a bit of negotiation with the suppliers, perhaps some clarification of the price, the terms of the offer, and another hard look at what they offered. Finally you make the decision, prepare a Purchase Order and move on. This is known as doing the business.
Time for a brief comment from the other side of the fence: please try to make the time to contact each of the failed bidders to let them know why they were not selected, or at least invite them to ask for more information. Preparing a formal proposal involves an intensive effort on their part. If you feel certain aspects let them down, letting them know about it helps them do better next time, assuming they are open to criticism. [If they don’t even want to hear from you, you know you made the right decision!]
7. Implement and launch the awareness program
Let the fun commence! Whilst the previous 6 steps may seem like a rather bureaucratic and pointless diversion, you may well find the opposite in practice. Just as with a software development project, time spent deciding the requirements, designing the solution and testing the system pays off in the end with a smoother and more effective implementation.
You have a well-written plan, the management support and the necessary resources to deliver it. Now is the time to call on your internal colleagues and chosen suppliers to build and deliver the awareness program of your dreams. Good luck!
In this paper, we have given a flavor of what is normally involved in launching a structured security awareness program. Your mileage may well vary but we hope this helps turn a somewhat confusing process into a straightforward set of steps.
|Home > Freebies > 7 steps to sec awareness >||
Copyright © 2013 IsecT Ltd.