Stuart King posted his Top 5 Information Security Annoyances a couple of days ago. Stuart and I have bantered back and forth a few times on the risk assessment and risk management topics. In his most recent post, Stuart lists five Information Security annoyances, two of which I want to respond to: “Security Awareness Programs” and “Risk Modeling”.
There are a couple of reasons why I want to respond:
1. I believe that Stuart and ComputerWeekly are unintentionally doing a disservice to the information security profession. Stuart, by broad stroking the lack of value of security awareness programs. ComputerWeekly for allowing Stuart to broad stroke under its name.
2. I want to give a glimpse of hope for those seasoned IT Security professionals, new IT security professionals, decisions makers questioning our value, and compliance professionals – that security awareness programs do add value – if done properly.
Regarding Stuart’s “Security Awareness Program” annoyance…
Here is what King wrote: “A whole cottage industry of consultants and websites has been built up around the perceived need to educate company employees about information security. It’s all a waste of time and money. Certain individuals will point to a reduction in the number of lost laptops as a measure of success, or an increase in the number of people who can correctly click “a). All policies are on the Intranet” in a multiple choice questionnaire. The fact is that security awareness programs are received within the organization with about as much enthusiasm as a plate of sick. The key to good information security is strong governance, good communication and well managed, decent processes. Security awareness programs sap energy and resources, and have little positive effect. Drop them.”
Where to begin? Instead of nit-picking line-by-line, let’s try to describe what a good security awareness program looks like (not in order of importance) – and I am probably missing some other attributes.
5. Compliments other risk management processes
In 2008, I participated in a fairly large IT security risk assessment for a large business unit. Without going into details, the primary product distribution capability for this business unit leverages independent contractors and their employees across the United States (around 25,000). There were a few risk issues that we deemed necessary to document and one of the mitigation plans was to create a security awareness program. On a side note, the team responsible for this program did an absolute bang-up job and I am really proud of their hard work.
How is a security awareness program a “security control” and thus a mitigation option? In other posts, I have mentioned that there are generally three types of security controls: preventive, detective, and response. A security awareness program can span all three of these security controls.
Preventive: If the program educates the target audience and it changes a behavior that results in less security incidents and subsequently less loss – at a reasonable cost; it has value.
Detective: Security awareness programs may not result in being able to prevent all bad things from occurring, but it may allow the target audience to better know when to alert security or leadership that something bad is occurring.
Response: I have witnessed numerous instances where information security was proactively engaged to address a security issue because of awareness programs. Had some of these issues or incidents gone unreported, it could have resulted in long periods of data loss or reckless behavior -that would have cost the company more money to address at a later time.
Back to what a good security awareness program looks like…
Accessible. The program needs to be accessible to the target audience. Whether it is a web-based application, a distributed CD, or an in-person meeting you have to make it accessible. If it is not accessible, then people will not know how to participate, let alone embrace it.
Relevant. Security awareness programs need to be relevant. Relevant thus implies that it will have to change from time to time to keep in step with the risk landscape. Does that mean that solid security principles no longer get addressed in the program? No, what it means is that the program needs to address the biggest threats we are faced with today and how our security controls / programs we have in place address those threats.
Incentives. This is easier said then done. For the program I mentioned above, the team that put it together was able to get the security awareness program certified by a few states in the US for official “continuing education” credits (specific to a certain industry / licensing requirements). Thus, the security awareness program not only educates the target audience, but it also helps them fulfill continuing education requirements to maintain their licenses to distribute our product in the state(s) they operate within. With a little imagination, you can probably create your own incentives as part of your security awareness program.
Interactive. This is a no-brainer. Make it interesting to the target audience. There are so many learning styles and it is hard to accommodate all of them. However, if we want people to take time out of their busy schedules to participate in our program – it cannot be boring.
Compliments other risk management processes. The security awareness program needs to be leveraged across other risk management processes. For example, for a program that is focusing more on data protection- can I correlate places where data loss is occurring to individuals in those areas that have or have not participated in the security awareness program? Of course, there is also the compliance angle. For those US readers, there are many US Government, State, and industry regulations that mandate “security awareness programs”, so for someone to simply recommend that you “drop them”, is irrational.
One final point I would make is cost. An effective security awareness program does not have to cost a lot of money. The security awareness program I mentioned above cost around US $0.50 (includes both hard and soft dollars) per individual in the target audience. For less then 50 cents a person we are able to educate them and fully expect a decrease in certain types of loss events. Our consumers benefit, our independent contractors benefit, and our company benefits.
In my next post, I will respond to Stuart’s Risk Modeling annoyance.