At the second annual Infosecurity North America conference at the Jacob Javits Convention Center in New York, Tom Brennan, US chairman, CREST International, moderated a panel called Securing the Workforce: Building, Maintaining and Measuring an Effective Security Awareness Program to Drive a Company-Wide Responsibility for Security.
For some, security awareness is largely about compliance, but creating an effective program in which all members of the organization understand their role in protecting the organization is about more than checking a box. Commenting on whether security awareness is a matter of compliance or an investment in personnel, Chris Budd, VP, information security specialist CISO Americas, Deutsche Bank, said that it’s actually both. “More and more, regulators want to see that we are in compliance with regulations, and they want to see that this is happening in-house,” Budd said.
So what is an effective in-house program? Panelists agreed that if users are subjected to mandatory compliance training, they are not going to learn anything. Security awareness training, then, has to be an investment in personnel.
“There is no cyber perimeter in this world that will save you from social engineering,” Budd said.
The panel represented a range of sectors, one of which included Matt Nappi, the CISO at Stony Brook University, where getting buy-in from end users is a different beast. “We have a wide ranging audience made up of many different constituents with different needs and different goals, so we use marketing to reinforce training so that we can tailor the message to specific users,” Nappi said.
Because students are customers of the university, security has to appeal to them in a different way, which is why Nappi uses gamification to grab their interest. “We try and build credibility and use different forms of communication depending on the different audience," he said.
Making security practical to the user is the key to success, and creatively finding ways to appeal to the wide range of users in a multicultural organization comprised of an array of customers with cultural and language differences has been a conundrum that Marina Spyrou, SVP, global cyber security and risk leader at Nielsen, has had to tackle.
“The threats vary by region, so we do global training and awareness. One thing that has been very successful is that we created a community of security champions at the grass roots,” Spyrou said.
What has proven largely successful and resulted in measurable metrics is the use of real-life examples of different types of phishing. “We take incidents that have happened and share them as examples, saying this email came through. Here is what it might look like translated in other languages and regions,” she said.
The success of a program relies, to a certain degree, on the ability to get funding. While some of the panelists do have to rely on metrics to justify their budgetary requests, John Whiting, CISO, DDB Worldwide, said that getting money wasn’t a problem. “The question is how are you going to make it effective. In advertising, people are autonomous by nature and don’t like controls, so it’s important to get the risk factor out there with middle and senior management to let them know about data classification and their roles.”
While that’s not the case at every organization, Budd did say, “Sometimes funding helps to improve your metrics, but sometimes the metrics help to improve your funding.”