Security awareness without resources - five Hinson tips
While listening to a couple of ISSA webinars on security awareness and idly scribbling notes to myself, I've been mulling over the common refrain that 'We just don't have the resources for security awareness'.
One of the speakers said something along the lines of "I've never had the luxury of anyone on the payroll to do security awareness, except me and I'm always busy. I don't think we'll ever have anyone to do it full time, maybe a quarter FTE next year if we're lucky". This is for a healthcare organization with over 20,000 employees.
That struck me as a depressing, almost defeatist attitude. I honestly struggle to believe that their management doesn't support security awareness, given how absolutely crucial it undoubtedly is to meet their security and privacy obligations and business challenges. How can they possibly afford NOT to do security awareness? I suspect the real problem lies not so much with management's resistance to the idea but with the lack of push. Too much else on the go maybe. Nobody with the ooomph to build a convincing business case perhaps.
That struck me as a depressing, almost defeatist attitude. I honestly struggle to believe that their management doesn't support security awareness, given how absolutely crucial it undoubtedly is to meet their security and privacy obligations and business challenges. How can they possibly afford NOT to do security awareness? I suspect the real problem lies not so much with management's resistance to the idea but with the lack of push. Too much else on the go maybe. Nobody with the ooomph to build a convincing business case perhaps.
I thought I'd share with you some more optimistic tips on how to make a success of security awareness even if you are resource-constrained:
- Figure out what resources you actually have. Hint: it's not zero. For starters, you are thinking about it right now. Your head-space and interest in the topic constitutes a resource. So are your learned colleagues in Information Security plus related departments and teams such as Risk, Compliance, Site Security, HR, Health and Safety, Operations, IT, Training, Employee and Corporate Comms. Friends/supporters of security throughout the organization are resources (security is everybody's business, remember). This blog and a gazillion others are resources. There are websites, professional associations, Google, social media, magazines, newspapers, the TV news and documentaries. There are textbooks and articles, vendor white papers (and courses and collateral and freebies), marketing materials, course books ... Even if you think you have nothing, in reality you have enough to make a start. Actually, you have more than enough: the hard part is sifting though for valuable nuggets, and making good use of the available resources. So please don't pretend you are a pauper. You are information rich, time poor maybe but hardly destitute.
- Beg, steal or borrow even more resources. Hustle. Horse-trade. Collaborate with your colleagues - the pro colleagues noted above plus 'management' and last but not least 'staff' (you are proactively investing in your personal social network throughout and beyond the organization, right? ....) If you can, call upon, dip into or exploit other departments' resources e.g. the training budget; the new employee orientation budget; the corporate comms budget; the intranet/web development budget; business and IT project budgets ... Use interns and temps. Call in favors and offer your skills and expertise to those who need it (every such interaction is an awareness opportunity). Use internal surveys, competitions and challenges to both engage your workforce and develop additional content (anecdotes and case study materials, for instance) and metrics. Find people who are good at what you need. [Blatant plug: Farm out the hard graft of researching and preparing creative content to security awareness professionals who relish the opportunity. It's cheaper, easier and more effective than doing it all yourself!]
- Milk every last drop of value out of the resources you do have. Work your resources harder. Get creative. Challenge and encourage colleagues to come up with good ideas. Prioritize. Consider the value of the activities you are currently doing and planning/thinking about. Invest in things that will deliver value over the long term rather than just spending on short-term fixes for immediate needs. Scrimp and save, manage your resources. Squeeze the slack out of other activities and divert/redeploy the funds and other resources towards more cost-effective stuff. Play the games that people play. If you must, overspend on things that management can't reasonably deny are important. Watch the pennies. Track the value.
- Measure and improve systematically. Use maturity measures, surveys and other metrics to get on the front foot. Instead of lamely alluding to progress, success and value, dig out and exploit hard evidence demonstrating that security awareness activities are actually delivering beneficial cultural changes in the organization and ultimately, of course, saving money by reducing the number and severity of incidents. Demonstrate that your awareness program is adding real value, and that the organization would be much the poorer without it (the straw man approach). Be explicit and specific about the resourcing constraints on what you do and can achieve in order to justify and persuade management to make additional targeted investments, or at least to re-prioritize things ...
- Aim higher. Justify and push for (further/sufficient) investment in security awareness. Learn from other departments, projects and initiatives about getting support for ... initiatives, projects and departments. Develop a coherent, sensible strategy that pushes security awareness and training as a way to support and enable the business (please, not security for security's sake; by all means make awareness an integral part of your overall information or cyber security program but make darned sure that is business-driven) and sell it. Garner management's support through a well-constructed business case and plenty of one-on-one time informing, refining, persuading and motivating management. Most of all make it work. Meeting/exceeding management's expectations is important to your credibility, if you expect future budget requests and proposals to be well received.
PS Here's a free bonus tip. I mentioned 'scribbling notes to myself'. My main notebook is a virtual scratchpad, nothing fancy, just a plain text file linked from my desktop. I quickly jot down bright ideas that I come across or come up with so that I can contemplate, develop, combine and use them later on when I have more time. I also use this blog as a place to document, develop and share my thoughts. Priceless!