Home > Articles > Security > Network Security

  • Print
  • + Share This
Like this article? We recommend

Smart Factors: The Road to Success

There is a lot of information about how to set up an awareness program out there, but I also propose the following smart factors to be considered when building a human firewall. These tasks are less tangible, more people-oriented, and (for a few) longer to achieve. But as the adage says, the only way to harvest in the fall is to seed in the spring.

  • Change "Default=allow": Communicate to targeted staff that implementing systems or programs that are wide open is a legacy of behavior that is not efficient in the long term. It is always easier, cheaper, and more consistent to built security early into the system as opposed to adding a security layer on top of an insecure system. If "Default=only allow what is needed" is implemented, the awareness program will be very light in the future!

    Challenge: This is a deeply ingrained behavior that needs to be changed.

  • Work on the fundamentals: You need to communicate a strong message and you need one on which you can hold on to tightly. Make security visible to your users to send a clear message and provide them with efficient tools. As an example, secure the end user devices (and the remote access). This sends a clear message to the user: "See what effort we put to secure your data; do not jeopardize this by misconduct!" People talk about security—yes, we use full disk encryption in our company! Do not ask your users to use encryption if it takes a Nobel Prize to use the tool.

    Challenges: None. Just do it!

  • Market your processes: Processes, standards and procedures are meant to improve the efficiency of the company in its market. They are not meant to secure assets for their own beauty. Link security to the company’s business and turn your speech from the security standpoint to the business standpoint. Do not tell your user what not to do; tell them how to do it in a secure yet efficient manner. Turn from a showstopper to a solution provider. Become an agent of change.

    Challenge: You have to be involved early in your projects.

  • Speak the people’s language: Prior to delivering a message, you should first seek to understand the audience. Speak the language of the business and drop the technical talk. There is little chance that your audience is passionate about information security. They will listen if you speak in their language.

    Challenge: You have to learn to listen and to internalize more basic language.

  • Turn root cause analysis into an awareness lesson: Every incident/group of incidents should be evaluated about whether they should be part of an awareness message for the whole company to learn from.

    Challenge: Often, company representatives want to keep the issues secret because it is easier to have others believe they have a strong system than to admit that they also have weaknesses. However, it is only when a problem hits home that it becomes a part of the employees’ consciousness.

  • Train the right people: Although emphasis is often made on end users, it is important to segment your audience and to address the weakest links:

    Focus on top management because it is this group that will make the decision for tomorrow.

    Stress the communication to those who are stakeholders in information systems processes.

    Communicate to end users.

    Define any other audience of importance to your company, such as a third-party service provider.

    Challenge: Multiple efforts for multiple targets means a lot of work!

  • Hire an artist: Communication is not binary. Do not try to build information security awareness content for end users by yourself; you do not have the right sense of communication! Find someone who has 1) artistic skills and creativity; 2) good aptitude for understanding your audience; 3) only a basic knowledge of IT. You know what to do; he/she will know how to communicate it.

    Challenge: A reasonable budget is needed.

  • Measure your success: Metrics are an exciting subject, especially when it comes to information security. Without going into too much detail, it is generally accepted that the number of classes taken, the average number of people reading the messages, and so on are the way by which a security awareness program is measured. You can ask yourself whether this kind of measurement really meets the objective of minimizing user’s mistakes or deliberate acts. Security awareness involves changes, and as such is harder to measure in the short term. I propose not measuring anything at all instead of measuring things that do not reflect the objectives and that give a false sense of security.

    Challenge: You might know this common adage: "You cannot manage what you cannot measure." In other words, it might be hard to sell because management tends to like tangible ways of measuring progress or status, even if most information security metrics today do not reflect a true state or evolution of a company’s level of security.

  • + Share This
  • 🔖 Save To Your Account