5. Educate Your Teams
I cannot overstate the value and importance of this practice. Education is the first step toward awareness and, as you will see in the chart from Gartner below, you still have a long way to go after you have become “Aware!”
The challenge most organizations face here is two-fold: How to best educate their teams, who might be geographically disbursed and of different skill set; and, which team(s) to invest in for security training.
Deciding which team to train (or in what order) is a highly contextual decision that needs to be made based on your specific organization. However, having helped several companies successfully roll out security awareness programs recently, I have observed a few critical success factors that I will share here:
Management Buy-In – Security awareness will likely lead to behavior and policy changes at your organization. For that to happen effectively and efficiently, management must be on board. Even better make them part of the change by ensuring that your program has elements that appeal to management.
Ensure Policies Can Be Enforced – Write clear, understandable, current, and measurable policies. Naturally, the policies need to reflect the corporate, threat and regulatory environment. Awareness and training programs should address the importance of adhering to policies, as well as the potential financial and reputation impact to the organization from security events.
Measure and Report – Use both qualitative and quantitative metrics to obtain feedback, measure and benchmark the effectiveness of your security awareness and training program. Most importantly, communicate these metrics and results (good or bad) to your management team for their input, support, and insight.
If at all possible don’t limit education to only security awareness, but also provide technical security training for your engineers, auditors and others. This training is more difficult to find, but you can locate some excellent security specialists that provide training in scalable formats, e.g., eLearning, for both management and technical staff.
An Analyst’s View of Security Investment
Below, I provide a chart created by Gartner Group. It describes what they call the “Information Security Maturity Model,” or ISMM. The chart shows the progress organizations make as they mature in their information security awareness.
It tracks the percentage of organizations’ IT budgets allocated to security and shows how it balloons and then contracts as companies move through awareness toward operational excellence.
I find it interesting that 80% of organizations are still in either the “blissful ignorance,” “awareness,” or “corrective” phase. I suspect that number is substantially higher if this were tracked for only application security. The message I take from this is: GET AWARE. And the best way to start? Well, if you’ve made it this far in the article, you are well on your way!
Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.