Planting the seed for a security culture program 1/3

– by Melissa Misuraca

1 of 3

Over the next 3 weeks, SIT Group member, Melissa Misuraca, provides a series of tips about obtaining the necessary support to move forward with a new security awareness program. Don’t forget to check back each week to collect the rest!

Many security awareness and education professionals within the SIT Group are fortunate to work within great companies or with great consulting clients, so we spend a lot of time talking about the benefits of security culture, what is best practice and what our peers in the industry are achieving. In our excitement and zest for improving security culture maturity, we could be forgiven for not taking a step back and thinking about those individuals and organisations who are just starting their journey, or may not be aware there is a journey!

Regardless of industry sector, size or turnover, Australian companies are at various stages of maturity. Some are just starting to sow the seeds and get management buy in, some have internal support but need a ‘kick-start’ to help them plan and implement activities, and others have more mature programs that they want to continually improve. Rarely is it a question of budget or resources, but barriers such as lack of management support, time constraints or ‘where do I start?’ are the common themes.

The purpose of this article is to help provide some tips for our peers who need a helping hand. You know security culture is important, but you might be having some difficulty obtaining the necessary support to move forward. So, without further ado, here are some prime pointers for helping you get the show on the road.

The burning platform

Like any behavioural change initiative, you need to identify the burning platform. By that I mean, asking yourself, “the consequences of not changing are… what?” Now, many of us know what that is because we live and breathe security every day, but you need to be able to convince your sponsor, manager or whoever the decision maker is (note: he or she who is in control of the purse strings) why you need to imbed security culture within an organisation.  It’s up to you to ensure security culture has a seat at the table.  More often than not, poor security behaviours are already occurring, they just aren’t being articulated in a manner that will inspire action. Knowing the pain points and being able to articulate them will also help you define your metrics and ultimately measure the impact of the program.

Get buy-in with data

The proof is in the pudding. Some of our clients run phishing exercises and/or, such as testing physical security controls like access and tailgating. They then table these findings. Knowing that Joe Blogs pretending to be an IT contractor made their way into the building, popped their sandwich in the toaster in the common room, had a chat to the staff, and then proceeded to collect confidential information, plug access points into the network, and spend the afternoon wandering around the building, seems to raise alarm bells which in turn can translate to support from the highest level of an organisation.

Use a variety of awareness tools

While there is a place for computer-based training modules, too many programs rely on them completely as an awareness program. The most successful programs incorporate a variety of awareness tools, including newsletters, posters, games, newsfeeds, blogs, phishing simulations, etc. The most participative efforts appear to have the most success. Another issue to consider is that materials should take into account the different demographics of your users. Diversify your materials to appeal to as many users as possible. There is definitely no such thing as “one size fits all” approach.

Check back next week when Melissa will talk about the following factors when building your case;

• Partnering
• Leveraging other work
• Funding