09 Jun Your first days as a Security Awareness Officer: part 2
In this blog, we discuss the duties in the second and third months as a Security Awareness Officer. In our first blog in this series, we discussed that a Security Awareness Officer is increasingly an essential part of organizations’ cybersecurity efforts. Because the role is fairly new, this three-part blog series explains what – in our view – are the most important activities for the Security Awareness Officer. We break it down as follows:
Part 2: Your second and third month as a Security Awareness Officer
Part 3: Your first year as a Security Awarenebss Officer
Read the blog about the first 30 days via the link above. For readers who don’t have the time (or inclination) to do so, here’s a brief summary:
Your first 30 days as a Security Awareness Officer (summary):
- Meet the ‘business’ – A well-functioning security awareness program is widely supported by stakeholders in the business. Therefore, identify key stakeholders and ask many questions during your introduction. Hooked stakeholders carry your message powerfully within their sphere of influence, but only if the goals of the program are well aligned with their own.
- Map risks – With the information from the introductory interviews, you can make a good assessment of cyber risks in business operations. Sharpen it with existing information by conducting desk research based on previous security or risk activities. Also go over measures already taken.
- Set goals – The information gathered in your first 30 days as a Security Awareness Officer will allow you to set priorities. The biggest residual risks on primary business processes form the first topics for the security awareness program. Get the results on the risks found to stakeholders.
In your first 30 days, you have identified risks in the context of primary business processes and the audiences to which they are relevant. Based on the data at your disposal, you can now outline the most likely situations each risk could occur. This analysis is necessary because just knowing that a risk exists is not enough; the employee must learn to recognize risky situations and make the right choices in them.
Before you and your team can begin to put together the security awareness program, you need a starting point. After all, if you don’t know where you stand, it is difficult to determine a route to reducing the previously identified risks (which will form the goals of the program).
Therefore, it is a good idea to conduct a baseline measurement. The most commonly used methods for this are conducting a phishing simulation and using a survey that takes stock of what the knowledge and/or awareness level of the target audience is. In addition to explicitly carrying out an inventory activity, you can also use data that may exist in the organization. Consider, for example, figures on the number and type of cyber incidents or data on the number of (correctly or incorrectly) classified documents from an information classification tool. It’s important that the data you collect relate to the most important risks (which in turn relate to the primary business processes). That way, you can be sure that your program supports business operations rather than oppose them.
Put together a core team which will help you properly conduct the baseline survey and later help you coordinate and implement the program. For example, to conduct a survey, you will need support from a Communications Specialist and the IT department as a minimum. Also make sure HR is involved: after all, these are people so they will definitely want to be involved. Your core team will also need mandate. Therefore, a sponsor from Management is indispensable.
Curriculum (Learning plan)
After the baseline measurement is done and you have analyzed the data, the next step is to make a plan: the curriculum. A curriculum (or: learning plan) describes per target group the learning goals you want to achieve, the knowledge they must master and be able to apply, and the strategy you choose to achieve that.
In your plan, it is important to set goals that are (above all) measurable and achievable within a set time frame. In doing so, it’s good to coordinate the goals with the team and agree on how to report on them (in the interim). Based on your great work in the first 30 days, you know the different target groups, their specific characteristics and the risks related to them. This includes setting goals for each target group. Together with the starting point you determined during the baseline measurement, you can now determine an effective route.
That route is mainly determined by the people, processes and technology you have – or can get – at your disposal. For the latter, you can supplement the plan with scenarios that show how they contribute to achieving (more) results (faster). The budget holder (if you aren’t that yourself) can then make a choice about this based on available budget and other projects.
Don’t forget that working faster may seem possible on paper, but in practice it may not be possible because the culture of the organization does not allow it. Again, your stakeholders can serve you well there. They know the culture better than you do and, based on that, can estimate to what extent people will resist.
The last, but certainly one of the most important parts of your plan is communication. To get your target group(s) on board, you will need to properly explain why the topic is important, how they can contribute to the goal, and exactly what is expected of them. The more the individuals in the target group can identify with the goal, the higher their participation in the program will be. So think carefully about this component and make sure you have a plan that is supported by the core team and management.
Want to learn more? Read the last part of this blog series.