18 May Your first 30 days as a Security Awareness Officer
The Security Awareness Officer
Security Awareness Officers, or those responsible for establishing and coordinating a security awareness program, are increasingly becoming an essential part of organizations’ cybersecurity efforts.
If they are successful in reducing risky employee behavior, they contribute significantly to lowering cyber risks. A hostage software incident, for example, has enormous consequences in the worst case scenario: Business operations come to a complete stop, confidential information is made public and relationships are threatened with follow-up attacks. Only one wrong action can have a significant negative impact on a company’s reputation.
Because the position of Security Awareness Officer is relatively new and more and more companies are appointing a Security Awareness Officer, this blog series gives you an insight into the first 30 days, 90 days and the first year of a Security Awareness Officer. What goals should the Security Awareness Officer set, what activities does he or she undertake and what does the Security Awareness Officer achieve?
Read more: Why you should add a Security Awareness Officer to your team.
Meet important stakeholders
Of course, even for a Security Awareness Officer, the first 30 days of new employment should be about getting to know the organization, the culture and your new colleagues.
In the LinkedIn Learning article The 10 Things You Should Do In The First 30 Days of a New Job the number one item is ‘Talk About Your Why’. Translated, the article states that it is important to talk about why you chose this job and feel so much passion for it. We couldn’t agree more. Since many of your new colleagues don’t see information security as a relevant topic, you’ll have to overcome that barrier first. A good way to do that is by first understanding what the organization’s primary business processes are and what role each person plays in them. You’ll need that understanding to convince them (later) that a good approach to cybersecurity is essential to business operations and will help them achieve their primary goals.
After getting to know your immediate colleagues, start on the side of operations (the business): identify key stakeholders and ask if they want to help you understand the business model in an introductory meeting. Prepare yourself for this meeting by researching their personal background and understanding their position in the business.
During the introduction, ask a lot of questions about the business process, department or business unit. Also try to identify interactions with other business processes, departments and external parties and make sure you prepare questions. This way, you get the most out of the interview. Above all, do not fail to inquire during the interview about their perspective on the people, processes and systems, planned future developments and goals.
All the information you pick up in these conversations are valuable input. After all, a well-functioning security awareness program is widely supported by stakeholders in the business. They can strengthen your message within their sphere of influence, but will only do so if the goals of the program are well aligned with those of the organization.
Identify areas of risk (in relation to business processes)
As a Security Awareness Officer, how do you define the goals of the security awareness program?
Identifying the key risks (or risk areas) is the second goal in your first 30 days as a Security Awareness Officer. The information gathered from the introductory interviews will give you a blueprint of the business model, key business processes, key players and culture. Depending on the the quality of the conversations you’ve had, you can also make a great assessment of the different risk areas.
Use existing information to give your assessment a boost. Before you started working for a company, security or risk activities have probably been analysed, so it’s a good idea to delve into them through desk research. Risk assessments, (compliance) audit reports, vulnerability scans and penetration tests are commonplace, but an analysis of cyber incidents or a cyber strategy document can also be valuable sources of information.
Also examine the measures that have already been taken to limit or insure cyber risks. This will give you a balanced picture of the real risks that are relevant to the security awareness program to be set. Based on the information you find, you can conduct further interviews with people in the organization to conclude the information you gathered.
Set goals (for the security awareness program)
The information gathered in your first 30 days as a Security Awareness Officer will enable you to set priorities. The human, technology and process risks on primary business processes that cannot yet be accepted or insured are the topics of which (relevant) employees should be made aware as a starting point for behavioral change. It’s true that minimizing risky behavior is the main goal of a security awareness program. If the main risk is relevant to a (primary) business process, your objective is fully aligned with your stakeholder.
In the next part of this blog series, we cover activities and goals in the second and third month as a Security Awareness Officer.