Security awareness 101 and beyond
1 / 100

Security Awareness 101 - PowerPoint PPT Presentation

  • Uploaded on

Security Awareness 101 ……and Beyond. “Vision without action is only a dream Action without vision is merely passing the time Vision with action will change the world.” - Joel Barker. 20th Annual Computer Security Applications Conference December 6, 2004 Tucson, Arizona Kelley Bogart

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Security Awareness 101 ' - MikeCarlo

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security awareness 101 and beyond
Security Awareness 101 ……and Beyond

“Vision without action is only a dreamAction without vision is merely passing the timeVision with action will change the world.”

- Joel Barker

20th Annual

Computer Security Applications Conference

December 6, 2004

Tucson, Arizona

Kelley Bogart

Melissa Guenther

'The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.'

Kevin Mitnick

'The Coming Third Wave of Internet Attacks: The first wave of attacks targeted the physical electronics. The second wave - syntactic attacks - targets the network's operating logic. The coming third wave of attacks - semantic attacks - will target data and it's meaning. This includes fake press releases, false rumors, manipulated databases. The most severe semantic attacks will be against automatic systems, such as intelligent agents, remote-control devices, etc., that rigidly accept input and have limited ability to evaluate. Semantic attacks are much harder to defend against because they target meaning rather than software flaws. They play on security flaws in people, not in systems.

Always remember:

Amateurs hack systems, professionals hack people.'

Bruce Schneier

Introductions of attacks targeted the physical electronics. The second wave - syntactic attacks - targets the network's operating logic. The coming third wave of attacks - semantic attacks - will target data and it's meaning. This includes fake press releases, false rumors, manipulated databases. The most severe semantic attacks will be against automatic systems, such as intelligent agents, remote-control devices, etc., that rigidly accept input and have limited ability to evaluate. Semantic attacks are much harder to defend against because they target meaning rather than software flaws. They play on security flaws in people, not in systems.

A complimentary team approach

  • Ms. Kelley Bogart (University of Arizona for the University's Business Continuity and Information Security Office as the Information Security Coordinator.

    • Initial work was dedicated to policy and best practices related to Business Continuity and Information Security topics.

    • Last two years have been dedicated to developing and implementing a Campus Security Awareness Campaign.

    • Received international recognition.

    • Appointed Co-Chair of the EDUCAUSE Security Awareness Task Force, which is a international group that focuses on IT issues and solutions specific to academia. And works directly with the National Cyber Security Alliance with regard to Security Awareness.

    • Recently she is working on a partnership agreement with Arizona Homeland Security to use UA's Awareness Campaign for a Statewide Awareness Campaign Initiative.

  • Ms. Melissa Guenther – Advisor to Phoenix InfraGard and Security Awareness Consultant

    • Assists teams in creating blueprints and designing interventions for change, primarily in the Security Awareness area.

    • Clients include Texaco, U of A, Manitoba Information Protection Centre and Public Service of New Mexico.

    • Over 20 years of culture Change Management and Training experience, providing a strong base for proven results.

    • Requested presenter at various security conferences, such as SANS, CSI, and the Arizona Chapter of High Technology Crime Investigation Association (ACHICIA), both nationally and internationally.

    • Created the plan and blueprint for the University of Arizona's Security Awareness campaign, and assisted in the implementation.

Introduction to our work
Introduction to Our Work of attacks targeted the physical electronics. The second wave - syntactic attacks - targets the network's operating logic. The coming third wave of attacks - semantic attacks - will target data and it's meaning. This includes fake press releases, false rumors, manipulated databases. The most severe semantic attacks will be against automatic systems, such as intelligent agents, remote-control devices, etc., that rigidly accept input and have limited ability to evaluate. Semantic attacks are much harder to defend against because they target meaning rather than software flaws. They play on security flaws in people, not in systems.

  • If the result of this workshop gives voice to some of your own experiences, or provides new ideas that contribute to your success, then we have succeeded.

  • At times, you will hear strong recommendations around proprietary products and processes. We make no apologies, for we would do all a disservice if we failed to disclose with great passion those interventions that can change your company. At the same time, we provide guidelines and suggestions on how to create your own versions of these solutions.

  • As you take your own journey, we would like to hear from you and invite you to email us with your questions and stories of your victories as you chart your own change path.

  • A common thread of those that had success with security awareness efforts- giving people clear direction and immediately enlisting their energies in creating that future.

  • Involvement in security awareness efforts in academia, Fortune 100 and small businesses – variety of situations with one constant.


  • Regardless of presenting issues, success ultimately boils down to meeting a challenge, solving a problem, or forging a better future. And it takes people to accomplish these feats. Even if you define change as implementing technical solutions, such as a Firewall or automatic update installations, technology doesn’t work unless people decide to make it work.

  • Getting people involved in the process - because people are the ones who make changes work - is key.“Organizations don’t change – people change. And then people change organizations.”

Awareness to focus attention on security
Awareness awareness efforts- focus attention on security

National Institute for Standards and Technology

Framework 1

Identify program scope awareness efforts-

Goals and objectives

Identify training staff and identify target audiences

Motivate management and employees

Administer the program

Maintain the program

Evaluate the program

NIST (1995, 1998)

Framework 1

Framework 2
Framework 2 awareness efforts-

  • Plan

  • Design

  • Implement

  • Evaluate

  • Continuous Improvement

    • M. Guenther, LLC.

Awareness program overview

Aims of the Program awareness efforts-

Start Up

Environmental scan

Policies and procedures

Technical review

Culture Survey

Stakeholder analysis

Regulatory compliance

Overall structure

Project Phases

Resources and Skills

Budget and Costs

Project communication

Project documentation

Target Audience Groups

Management and Monitoring

Maintenance and transition

Program Content



Sources of Material

Program methods and tools

Intranet website

Communication methods


Program Management



Plan and major activities

Measuring the program

Cost benefit analysis

Program costs

Business benefits



Appendix A – Target audience segments

Appendix B – Potential information, physical and personal security topics

Appendix C – Outline and timeline of program plan

Appendix D – Communication methods

Awareness Program Overview

Content awareness efforts-

  • Topics of awareness include but are not limited to:

    • The responsibility of users to report issues

    • The fact that a users activities can be audited

    • The legal requirement for data (citing legislation, as appropriate)

    • Privacy expectations of internal and external users

    • The ownership of data

    • Password requirements

    • The acceptable use policy for E-mail and Internet access

    • The intellectual property requirements;

    • The sensitivity of department systems to threats, risks and vulnerabilities; and

    • Physical, personal and information vulnerabilities

Objectives and background
Objectives and Background awareness efforts-

  • Provide direction and guidance in the areas of program development and changes to culture

  • Address the following questions

    • What are the premises, nature and point of departure of awareness?

    • What is the role of attitude, and particularly motivation: the possibilities and requirements for achieving motivation/user acceptance with respect to information security tasks?

    • What approaches can be used as a framework to reach the stage of internalization and end-user commitment?

      • Commitment to something means that one wants it

        and will make it happen

        (Peter Senge, 1990)

Culture awareness efforts-

Washington State anthropologist John Bodley defines culture as "shared, learned values, ideals, and behavior — a way of life."

Changing behaviors
Changing Behaviors awareness efforts-

  • The goal of awareness is to change behavior

  • People only adopt new patterns of behavior when... the old are no longer effective

  • People change when the pain of changing is less than the pain of staying the same.

  • Three concepts about human

    behavior to note:

Changing behaviors1
Changing Behaviors awareness efforts-

1. People’s behavior is based upon their principles and their values

2. An effective awareness program helps the workforce adopt the organization’s principles and values

3. A message is persuasive when the addresser selects information that the addressee perceives as relevant in terms of his or her values

Changing behaviors2

Knowledge does not guarantee a change in behavior. awareness efforts-

Changing Behaviors

  • “We’ll just create some new policies.”

    What are the fallacies of policy?

  • “We just send everyone to training.”


Your ideas for involvement? awareness efforts-


  • To change culture and behaviors we need involvement from those who will be most impacted by the change

  • WII-FM: What’s In It For Me?

  • People like to be included

Company Policies awareness efforts-

Important note:

Don’t wait until

P&P’s are done to

start awareness!!

Security Awareness Program Purposes








Model 1 - The Security Awareness Program Flow

Another step
Another Step … awareness efforts-

Security Advisory Group or Council

  • Group of upper management level people

  • Represent all areas of the business

  • Promote security awareness

  • Promote consistent approach to security

  • Drivers of corporate wide security policy

Involvement awareness efforts-

  • Host special events

  • Look for “teachable moments”

  • Develop security “champions”

  • Leverage a “negative event”

  • Use the “Grapevine”

PLANNING awareness efforts-

The beginning is the most important

part of the work.


Strategic planning
Strategic Planning awareness efforts-

  • Step 1: Where are we now? (Situation Assessment)

  • Step 2. Where do we want to be? (Strategic Direction)

  • Step 3 - How do we plan to get there? (Implementation Planning)

  • Step 4 - How will we monitor progress? (Monitoring)

Compelling issues
Compelling Issues awareness efforts-

  • Vast amounts of information.

  • Open environment.

  • Decentralized functions.

  • Customer expectations.

  • Institutional responsibility.

  • Financial, operational & reputational risks.

  • Increasing threat profile.

It s the culture
It’s the Culture awareness efforts-

  • Culture drives the behavior of the

    organization and it’s people.

  • Implementing a behavioral security process without a solid cultural foundation is the cause of most incidents.

Danger signs
Danger Signs awareness efforts-

  • Unclear who is responsible for what.

  • Belief that everything is ok, “we are in good shape”

  • Belief that rule compliance is enough for security (If we’re in compliance – we’re ok)

  • No tolerance for whistle-blowers

    • “culture of silence”

  • Problems experienced from other locations not applied as “lessons learned”

  • Lessons that are learned are not built into the system

  • Defects / errors became acceptable

  • Security is subordinate to production

  • Emergency procedures for severe events is lacking

Danger signs1
Danger Signs awareness efforts-

  • Policies and Procedures are confusing, complex and “hard to find”.

  • Security resources and techniques are available but not used.

  • Organizational barriers prevent effective communication.

  • There are undefined responsibility, authority, and accountability for security.

    • Security belonged to “IT”

  • The acceptance of defects / errors becomes Institutionalized.

    • Because nothing has happened (or we are unaware of what has happened), we’re ok.

      • Culture is resilient, hard to change, and will revert to old habitsif not steered by leadership.

What is culture
What is Culture? awareness efforts-

  • Social Culture - Our beliefs, philosophies,

    attitudes, practices that govern how we live.

  • Organizational Culture -What employees believe (perceptions), attitudes, practices, rules, regulations, philosophies, values, etc.

What is culture1
What is Culture? awareness efforts-

  • It is the atmospherewhich shapes our behavior.

  • Invisible forcethat largely dictates the behavior of employees & management.

Company culture
Company Culture awareness efforts-

Production Culture


Security Culture

Due to high costs of incidents there is no way a pure production culture can be profitable to it’s fullest potential.

What is a production culture
What is a Production Culture? awareness efforts-

  • Belief that only production matters.

  • Whatever it takes to get the job done.

  • Security performance is not measured.

  • Security performance is not part of

    supervisor’s job.

Security culture
Security Culture awareness efforts-

  • Security is not a priority - it is a corporate Value.

  • All levels of management accountable.

  • Security performance measured & tied to compensation.

  • Security integrated into all operations.

The purpose of the program
The Purpose Of The Program awareness efforts-

  • Security is everyone’s responsibility

  • Provide all opportunities to determine how in their daily roles

    • Knowledge (what)

    • Skill (how)

    • Attitude (want)



Motivation vs attitude
Motivation vs. Attitude awareness efforts-

  • Motivation tends to be dynamic in nature

    • Lasts minutes or weeks

    • Intrinsic motivation plays a role

      • People feel free to make their own choices

      • Need to justify actions in terms of internal reasons

  • Attitudes is a more static, internalized factor

    • Lasts months to years

    • Staged as readjustment, cooperation, acceptance and internalization

    • User acceptance and internalization must be considered gradual processes and long-term goals

A collection of approaches
A Collection of Approaches awareness efforts-

Analysis and problem solving what we looked at
Analysis and Problem-solving awareness efforts- What We Looked at

  • People

  • Business

  • Measuring, evaluating


Break awareness efforts-

People awareness efforts-

  • Identify key relationships.

  • Establish rapport with students, faculty and staff.

  • Become visible and available.

  • Develop security awareness program.

  • Be the person who is there to help.

  • Emotional/psychological management

Business awareness efforts-

  • Understand…

  • Business and customer expectations

  • Relationships between business and customer

  • Key information and other assets, owners and custodians

Strategy awareness efforts-








Strategic Planning

Design awareness efforts-

National Institute for Standards and Technology

The awareness program
The awareness efforts- AwarenessProgram

The security process is more than the implementation of technologies

Redefinition of the corporate culture

Communication of managements message

Employee understanding of value of information

Employee understanding of importance of their actions to protect information

Scope awareness efforts-

The scope of any Security Awareness

campaign will reach all network users,

beginning with senior department

executives working towards each and

every member of the community.

Who are the members of your community?

Customizing the Message awareness efforts-

Plan to address segmented groups with messages specifically designed for those areas.

  • Leadership

  • Staff

  • Students

  • Faculty

  • Senior Management

  • Line Supervisors

  • End Users

  • Contractor and Temp

Needs assessment
Needs Assessment awareness efforts-

  • Senior Management - will be expecting a sound, rational approach to information security.

  • Line supervisors - These individuals are focused on getting their job done.

  • Employees - are going to be skeptical. They have been through so many company initiatives that they have learned to wait. If they wait long enough and do nothing new, the initiative will generally die on its own. It will be necessary to build employees awareness of the information security policies and procedures. Identify what is expected of them and how it will assist them in gaining access to the information and systems they need to complete their tasks.

The information security message
The Information Security Message awareness efforts-

  • The employees need to know that information is an important enterprise asset and is the property of the organization.

  • All employees have a responsibility to ensure that this asset, like all others, must be protected and used to support management-approved business activities.

  • To assist them in this process, employees must be made aware of the possible threats and what can be done to combat those threats.

  • Is the program dealing only with computer held data or does it reach to all information where ever it is resident?

  • Make sure the employees know the total scope of the program. Enlist their support in protecting this asset.

  • The mission and business of the enterprise may depend on it.

Delivering the message

Special events awareness efforts-

Security classes




Security newsletter

Screen saver






Web site

E-mail broadcast

Sign-on banner


Not recommended


Highly recommended

Delivering the Message

Formats for communication
Formats for Communication awareness efforts-

  • Individual meetings

  • Staff meetings

  • Conference calls

  • E-mails

  • Videoconferences

  • Messages

  • Faxes

  • Graphics and logo

U of a intranet
U of A Intranet awareness efforts-

UA Security Awareness Campaign

Being Security Aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within our computer systems and through out our organization. Therefore, it would be prudent to support the assets of our institution (information, physical, and personal) by trying to stop that from happening.

2004 Information SecurityAwareness Day

Current Security Events

UA Information Security Awareness Day  Computer Security: What you need to know

2004 Information Security Brown Bag Series (.pdf)

Calendar of Campus Security Awareness Events


Security Awareness Presentations

Security Plan Information

Security Awareness Campaign Initiatives(.pdf)Security Awareness Campaign Feedback QuestionnaireEvaluation Model(.pdf)

Send comments and suggestions to:Kelley [email protected] call 626-8232

UA Privacy Statement

Please send comments, suggestions or questions to:Business Continuity & Information Security(520) [email protected]

Website created and maintained by:CCIT Information Delivery Team

Sample email message
Sample Email Message awareness efforts-

An attorney's advice and it's FREE!

A corporate attorney sent the following out to the employees in his company:

  • The next time you order checks, omit your first name and have only your initials and last name put on them. If someone takes your check book they will not know if you sign your checks with just your initials or your first name but your bank will know how you sign your checks. When you are writing checks to pay on your credit card accounts,

  • DO NOT put the complete account number on the "For" line. Instead, just put the last four numbers. The credit card company knows the rest of the number and anyone who might be handling your check as it passes through all the check processing channels won't have access to it.

A picture is worth a thousand words
A Picture is Worth awareness efforts- a Thousand Words

Information Protection Centre

Manitoba Information and Communications Technologies

Cal Poly Pomona University

University of Arizona

Layered Privacy Notices awareness efforts-

A Coordinated Approach awareness efforts-

Group 1

Group 2

Group 3


Staff Meeting Invitation

Videos and Poster

Newspaper article

General Security

Monthly Theme

Current Issues

Group 1 Communicates bottom line cost advantages, business survivability, effects to shareholder value, attacks on confidential data, and offsetting resulting litigation.

Group 2 Technical staff should have a focus on individual verification procedures, and features and attributes of software programs that can support increased security.

Group 3 Non-technical overview of what security is and why it is important. Include elements of security, the threats to security, and countermeasures: all with Company policies and procedures should lend insight and support of the countermeasures.

Implementation awareness efforts-

Is hard……times 20!

Perfection is boring and gets in the way of


Is where continuous improvement starts.

Communication and marketing

Communication and Marketing awareness efforts-

You can never over-communicate

during times of change.

Why communicate
Why Communicate? awareness efforts-

  • Public support

  • Demonstrating success

  • Explaining and persuading

  • Adequate resources

  • Public Interest/ Accountability

Key questions
Key Questions awareness efforts-

  • Who do want to talk to?

  • What do we want them to understand?

  • How do we want to influence them?

  • Should we priorities or group the audiences (market segmentation)?

  • Do not forget employees as key stakeholders

Stakeholder analysis
Stakeholder Analysis awareness efforts-

  • A technique to assist in making decisions about who to involve, and how to involve them.

  • For any decision or action, a stakeholder is anyone who is affected by, or can influence, that decision or action.

  • Rate:

    • Attitude

    • Influence

    • Estimate

    • Confidence

Messages awareness efforts-

Getting there
Getting There awareness efforts-

  • Message, audience, means ….. NOT

  • Means, audience, message

  • What is best for which audience?

  • It is not just press, radio and TV

  • Spectrum, for example – Personal contact

Getting there1
Getting There awareness efforts-

  • Leaflets and other publications

  • Exhibitions

  • Paid advertising

  • Web and “new” media - narrowcasting

  • Build in feedback where you can

Timing awareness efforts-

  • Identify fixed events in programmed

  • Be aware of outside fixed events

  • Be ready for the unexpected

  • Be opportunistic

Communication awareness efforts-

  • Bi-monthly Brown Bag sessions (training/awareness course(s)

  • Monthly security awareness newsletter

  • Posters

  • Security awareness messages on the intranet

  • Security awareness days

  • Integrate efforts with HR efforts (orientation)

  • Modeling


Break awareness efforts-


Measurement awareness efforts-

If we are required to assess change in behavior by virtue of how long a person sits in a seat……………

we are focusing on the wrong end of the person.

Measuring evaluating
Measuring, Evaluating awareness efforts-

  • Security is like the brakes on your car.

    • Their function is to slow you down.

    • But their purpose is to allow you to go fast.

  • What do we want to measure? awareness efforts-

  • What can be measured?

  • How can it be measured?

  • How do these relate to initial objectives?

  • Continued monitoring?

  • Feed into future strategies/ campaigns

Strategic content sessions
Strategic Content Sessions awareness efforts-

  • Measurement of existing security weaknesses can be based on:

  • Incident reports

  • Tools that measure compliance

  • Interviews with supervisors

  • Testing

  • Employee surveys

Measurement tools
Measurement Tools awareness efforts-

  • 1. Distribute a survey or questionnaire seeking input from employees.

  • If an awareness briefing is conducted during the new-employee orientation, follow up with the employee (after a specified time period of three to six months) and ask how the briefing was perceived (i.e., what do they remember, what would they have liked more information on, etc.).

  • 2. Walk-about’s. While getting a cup of coffee in the morning, ask others in the room about the awareness campaign. How did they like the new poster? How about the cake and ice cream during the meeting? Remember that the objective is to heighten the employee’s awareness and responsibilities of computer security. Thus, even if the response is “that poster is silly,” do not fret; it was noticed and that is what is important.

  • 3. Track the number and type of security incidents that occur before and after the awareness campaign. Most likely, it is a positive sign if one has an increase in the number of reported incidents. This is an indication that users know what to do and who to contact if they suspect a computer security breach or incident.

Measurement tools1
Measurement Tools awareness efforts-

4. Conduct “spot checks” of user behavior. This may include walking through the office checking if workstations are logged in while unattended or if sensitive media are not adequately protected.

5. If delivering awareness material via computer-based delivery, such as loading it on the organization’s intranet, record student names and completion status. On a periodic basis, check to see who has reviewed the material. One could also send a targeted questionnaire to those who have completed the online material.

6. Have the system manager run a password-cracking program against the employee’s passwords. If this is done, consider running the program on a stand-alone computer and not installing it on the network. Usually, it is not necessary or desirable to install this type of software on one’s network server. Beware of some free password-cracking programs available from the Internet because they may contain malicious code that will export one’s password list to a waiting hacker.

Putting metrics in perspective a case study
Putting metrics in perspective – A Case Study awareness efforts-

  • One of our key areas for security focus was viruses and worms

  • Two main goals.

    • Reduce the number of lost work hours in the organization due to virus/worm infection and effort required trying and preventing virus/worm infections.

    • Reduce or eliminate secondary infections of our business partners.

Company background
Company Background awareness efforts-

  • Over 1100 employees

  • Business partner

    • has access to our networks

    • receives hundreds to thousands of emails from us daily.

  • Made some technical changes

    • Reduce the problems in the first year or so after introducing them. After that we reached a plateau.

  • Introduced an awareness program.

    • Intranet website dedicated to virus problems

    • security bulletins for new virus/worm outbreaks

    • regular, monthly security awareness articles

    • Presentations (both scheduled and on request.)

Results awareness efforts-

  • Then - 6,000 hours expended annually to control virus/worm outbreaks in 2000

  • Now - Less than 2,000 hours in 2003

  • Then - 5 significant virus/worm outbreaks in 2000

  • Now - 2 significant virus/worm outbreaks in 2003

  • Then - Out of a typical 25 new helpdesk requests per business day, four of them dealt with virus/worm problems

  • Now - New helpdesk requests per day has increased to 28 on average, virus/worm requests have dropped to less than 1 per day

Five levels of the information security evaluation model
Five Levels Of The awareness efforts- Information Security Evaluation Model

  • Level 1 =COMPLACENCY


  • Level 3 = INTEGRATION



    Where is your Organization?

Progress to date
Progress to Date awareness efforts-

Level 5


Level 4



Level 3


Level 2



Level 1


Highlights of before and after results
Highlights of Before and After Results awareness efforts-

  • Security Questions and Problems

  • AUP

  • Security Awareness Training

  • Perceived Value of Security

  • Stewardship in Projects

  • Best Practice

Security awareness content
Security Awareness Content awareness efforts-

  • Personal Security

    • Social Engineering

    • Identity Theft

    • Clean Desk Policy

    • Parking Lot Security

    • Emergency Alerts

  • Physical Security

    • Building Access

    • Rules for ID Badges

    • Visitor Control

    • PC Security

    • Telephone Fraud

    • After Hours Access

  • Information Security

    • Password Construction & Management

    • Screensavers

    • Internet Security

    • Software Piracy

    • Data Backups

    • E-mail Usage

    • Internet Usage

    • Viruses

Getting started
Getting Started awareness efforts-

Three necessary components to develop security habits


(What to do)


(How to do)


(Want to do

and Why)

Program elements accelerated learning
Program Elements awareness efforts- Accelerated Learning

  • A positive learning environment

  • Total learner involvement

  • Appeals to all learning styles

  • Collaboration among learners

  • Learning in context

  • Facilitation vs. Training

Sa tools
SA Tools awareness efforts-




Lessons learned

Lessons Learned awareness efforts-

Lessons learned 1
Lessons Learned: 1 awareness efforts-

  • The security awareness leadership position is not a technical role.

  • Rather, it is a program manager role.

  • The role must be comfortable as a program manager, and must be able to know when to put on the technical hat.

Lessons learned 2
Lessons Learned: 2 awareness efforts-

  • Security awareness is not a natural thought process for everyone.

  • Sometimes you don’t know what you don’t know.

  • You must plant/grow the seeds of awareness, and illustrate the relevance of security to all roles.

Lessons learned 3
Lessons Learned: 3 awareness efforts-

  • A commitment to security implies investment primarily in a security leadership position itself.

  • The investment needn’t involve spending money on technology.

  • Invest in the human resource first.

Lessons learned 4
Lessons Learned: 4 awareness efforts-

  • While security and privacy are important to most people, we tend to be uncomfortable talking about security weaknesses.

  • The role must de-mystify security and steward creation of appropriate settings and processes to discuss security issues.

Lessons learned 5
Lessons Learned: 5 awareness efforts-

  • Security is on everyone’s mind, but not everyone understands how to apply security in the context of their work.

  • This is sometimes perpetuated from areas inside the organization.

  • Ability to articulate and quantify risk and cost of consequence is an essential element of gaining a motivated audience.

Lessons learned 6
Lessons Learned: 6 awareness efforts-

  • The “starter” key relationships are:

    • Legal Counsel

    • Human Resources

    • External Affairs

    • Executive Team

    • Risk Management

    • Audit

Lessons learned 7
Lessons Learned: 7 awareness efforts-

  • Over-prescription creates little gain in security at the expense of willingness and cooperation from customers.

  • Security is a “living thing”, not a one-time project.

  • Find ways to attract and retain all stakeholders in security discussions and activities.

Lessons learned 8
Lessons Learned: 8 awareness efforts-

  • Few security answers are binary.

  • The vast majority of answers are analog.

  • The ability to discriminate which situations require a binary answer, and which require more a more introspective analog answer, is essential.

Lessons learned 9
Lessons Learned: 9 awareness efforts-

  • Measurement is essential to illustrate value and costs, and to underwrite future success.

    • Keep track of what you do.

    • Tabulate.

    • Quantify.

    • Report.

    • Share (with discretion)

Security is like quality
Security is Like Quality awareness efforts-

  • "You can't buy security. It's not a product. It's a mindset and a never-ending process. To succeed, security must permeate every aspect of our business. It's not just the responsibility of the executive and management team; every employee must have a tenacious commitment to it.

  • “Security is intangible, but it's not ethereal. It's difficult to quantify, but its results are absolutely measurable.

  • "How much does security cost? Nothing. It's free when everyone is committed to it.“

    Andrew Briney

Lessons learned 10
Lessons Learned: 10 awareness efforts-

The beginning is the most important part of the work.

We End Where We Began awareness efforts-

  • If the result of this workshop gives voice to some of your own experiences, or provides new ideas that contribute to your success, then we have succeeded.

  • As you take your own journey, we would like to hear from you and invite you to email us with your questions and stories of your victories as you chart your own change path.

Conclusion awareness efforts-

  • Organizations don’t change. People change. And then people change organizations.

  • It’s very hard to change people’s minds if it means reducing their job satisfaction.

  • Technology comes and goes, but people will always be a challenge!

  • If you always do what you’ve always done, you’ll always get what you’ve always got.

Thank you
Thank You awareness efforts-

Keep chasing the dog, or fence it in?