security.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Security Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com
Create a security awareness program in three steps
SECURITY.ITWORLD.COM --- 03/13/2007

Brent Huston

Security awareness programs may seem like they should be easy to implement, but in reality, they require skills that most security teams don’t regularly practice. To help you on your way towards a brighter security future, we've identified three steps required to create an effective awareness program: 

On this topic
Get practical tips, IT news, how-tos, and the best in tech humor.
Disaster Recovery Simplified - iSCSI and VMware Site Recovery Manager Deliver Results
Data Protection and Disaster Recovery with iSCSI and VMware
Five Security Mistakes to Avoid
Osterman Report: The Advantages of a Hosted Messaging Security Solution
Top 10 Ways to Protect Against Web Threats
The Case and Criteria for Combining Application Acceleration and Security
Hackers find a new place to hide rootkits
FBI worried as DoD sold counterfeit networking gear
Google takes Street View snaps in Paris; lawsuits may follow
Facebook partners with AGs for kids' safety
Mozilla: Firefox plugin shipped with malicious code

1 - Create a brand: This is advertising and marketing 101. Plain and simple, you must use marketing concepts like branding and advertising if you want your program to be effective. Take the time to actually convert your security policies to three to five concepts and taglines that can be reinforced on a continual basis in a variety of media. Wrap those ideas around an icon, character or image and you just might have a brand. Branding sells products as well as ideas, concepts and security mechanisms.

2 - Reinforce the message: One you have your brand, think about how to communicate your three to five concepts. How can you repeat them to your target audience over and over again until they become mantra? Can you find ways to get folks to “opt in” to getting the message? Can you make it a part of their routine?

Whatever you decide, consider using prizes, surveys and multimedia to make it happen. The number one rule in this part of the process is to be creative -- if you stick with traditional posters and weekly emails -- you have an awareness program, but it won’t be an effective program. The more you can mix the media of delivery, the better. The more interactive you can make it, the better. Don’t be afraid to use humor, drama and hype to create effectiveness.

3- Perform ongoing assessment - Most folks forget this step. Don’t wait for your next audit to determine if your program is effective. Test it yourself, or work with a vendor. If you are not auditing your own resistance to social engineering, malware trickery and phishing, then you do not have a complete awareness program. Only through continual testing and ongoing feedback and revision loops will you succeed. Assessment is key to identifying what works and what doesn't.

That’s it! Follow these steps, continue to work on the program and it will be an effective mitigation to many threats. It sounds easy, but the real task is the creativity and ongoing effort to sustain it. That’s where you might reach out to your internal marketing teams, or form a working group with a vendor. The payback will likely be huge and more than worth the resources. Some security teams may even bring in marketing consultants or employ a marketing person full time to work on awareness. Things have come a long way since the days of policy reading and boring yearly PowerPoint presentations – thankfully!

 

 Brent Huston is CEO and Security Evangelist of MicroSolved, Inc., an information security company, based in Columbus, OH. Brent and his staff have performed system and network security-consulting services for Fortune 500 companies, international telecomm firms and major financial institutions. His professional experience exceeds fifteen years in the information security field. To date, he has performed hundreds of vulnerability assessments and penetration tests against target organizations such as banks, credit unions, financial companies, e-commerce sites, critical infrastructure, federal/state/local governments and military/national security installations. He is well versed in the use and implementation of all major security tools, standards and systems and has developed the primary assessment methodologies in use at MicroSolved and the US Department of Energy. He has published numerous white papers on security-related topics, and is the co-author and technical editor of the book "Hack Proofing Your E-Commerce Site" from Syngress Publishing. Write him at mailto: bhuston@microsolved.com.
Advertisements
Sponsored links
Locate Hidden Software on business PCs with this free tool
Top 5 Reasons to Combine App Performance and Security
KODAK i1400 Series Scanners stand up to the challenge
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Home  Newsletters SECURITY.ITWORLD.COM
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.