At the Infosecurity North America conference in New York City this week, a group of security executives from various organizations came together to talk about the key features of successful security awareness programs.
All panelists stressed the importance of developing a strategy that is tailored to their individual organization. Matt Nappi, CISO at Stony Brook University, explained that as a CISO for a university, he has to approach things differently than a CISO for a corporation would.
As the senior vice president of Global Cyber Security at Nielsen, Marina Spyrou has to approach different regions in unique ways. An approach that succeeds in one country might not necessarily do well in a different region with a different work culture, she explained.
John Whiting, CISO at advertising company DDB Worldwide, believes that good security awareness starts at home. “If they’re more aware at home, they’re more aware at work,” he said. When a person learns not to click on suspicious links or give personal information to unverified sources in their personal lives, they can translate those skills to their behavior at work.
The methods of acquiring funding for awareness programs will also vary depending on the organization.
Whiting shared an experience in which his CEO didn’t have a problem with the amount of money being requested for a security awareness program, but wanted to be sure that it was effective.
Nappi shared that in higher education it is harder to get funding, but that he achieved it by slowly building credibility. Once the executives came to him, the money followed. He added that security training is particularly easy to get funding for because it is so tangible and the results can be seen.
Similarly, Spyrou shared that Nielsen first did a pilot program that showed how many people clicked on suspicious links before and after training. When there was a decline in the number of clicks, the executives saw how useful the program would be.
Having a dedicated cybersecurity hotline, and one that is widely known by employees, can help reduce threats as well.
Whiting believes that the cybersecurity teams should be separate from the help desk and employees should be instructed on when to call which line.
Chris Budd, vice president in the CISO Americas group at Deutsche Bank, added that the help line needs to immediately help the person out. If the person is put on hold, they might give up and end up doing something that has a negative impact.
Nappi stated that giving positive feedback to those reporting issues can be beneficial. If they feel like their request is just going into a black hole, they may not report something the next time it comes up. It’s important to reinforce that positive behavior, he said.