http://www.csoonline.com/read/110106/fea_awareness.html
By Lew McCreary
October 2006
Since this magazine's inception, our CSO friends and sources have
bemoaned the prevalence, throughout the enterprise, of wrong-headed
views on what constitutes an excellent security mission and program.
Frequently, the complaints have pointed explicitly to the upper
organizational reaches CEOs, other O's, boards of directors. But the
problem of wrong-headed notions about security in general is often
acknowledged to be both deep and widespread.
Some years ago, CSO interviewed famously colorful consultant Thornton
May (see "Why Security Needs to Blow Its Own Horn,"
www.csoonline.com/read/060103). May generalized about security
executives: "These guys are gifted nonbranders! They couldn't sell water
to a man on fire!"
We beg to differ. There is plenty that lies beyond a CSO's direct
control. But we are here to tell you this: One thing CSOs do have
control over, and accountability for, is the way the security program is
perceived and understood within the enterprise. It all boils down to
awareness, which is built through patient and relentless education and
marketingyes, marketingabout the importance of security as both the
guardian and enabler of core business value.
An aggressive, well-designed and -executed security awareness program
can help to transform the business culture, increase overall security
program effectiveness and present the "brand" of the security function
in a more positive, business-focused light. It can also help the
security executive "sell up" to senior management and achieve the
elusive goal of tight integration between business strategy and security
practice.
CSO and the CSO Executive Council, an affiliated professional group,
recently conducted an online survey aimed at gauging the current state
and prevalence of awareness programs. Though training is certainly a
subset, our survey defined formal security awareness programs as those
that go beyond the basic training of newly hired employees to educate
them about the organization's policies and procedures. Our definition
cast awareness initiatives as more in line with a full and timely
security curriculum, delivered toand sometimes beyondthe enterprise in a
variety of ways, and embodying many of the features of a highly
effective marketing campaign.
The results of our survey are mainly encouraging, showing that a vast
majority of respondents are more than ready to bottle and sell water in
the hopes of making combustion of all kinds much less likely.
First, 74 percent of our 168 respondents said they have formal awareness
programs in place that are at least one year old, though such programs
range in maturity. Of these, 27 percent said they have young programs
that are between one and two years old; that was the most popular
answer. Of the remaining respondents, 18 percent were planning to launch
a program. Only 8 percent did not have plans for an awareness program.
Existing awareness programs target, in varying degrees, multiple
constituenciesfrom boards of directors to senior executives to
rank-and-file employees and even, sometimes, outward to trading partners
and customers. Boards of directors (50 mentions) were in nearly a dead
heat with vendors (49 mentions) for getting the least awareness
attention. Not surprisingly, employees (148 mentions) got the most.
Senior management (123), business unit management (114) and CEOs (84)
also got plenty of focus.
We also subdivided these audiences into specific functions. Not
surprisingly, security, operations, IS/IT, HR and compliance were the
top attention getters. Interestingly, among internal constituencies,
engineering/manufacturing (68 mentions) and R&D (72 mentions) ranked
near the bottom of the list. But the absolute low-vote total went to
partnersthose outside of the enterprise. (For a look at the value of
treating awareness issues beyond your own walls, see "Building Key
Alliances," opposite page).
There is recognition that different purposes (and audiences) call for
different strategies. Take audiences, for example. Cherry Delaney, who
is just launching a cybersecurity awareness initiative at Purdue
University (see "Getting Started," Page 34) has identified three core
audiencesstaff, students and facultyand has chosen to take them on one
at a time (which makes sense because, for now, she's a one-person
department). Delaney has plans to exploit the popularity with students
of social networking sites like Facebook.coma venue unlikely to be of
much value in reaching staff, whom she is targeting with luncheons, live
seminars and intranet-based interactive training.
Besides training (129 mentions), respondents use e-mail and newsletter
alerts (119 mentions), slide presentations (103), live events and
meetings (94), and the corporate intranet (93). A fun-loving 46
respondents said they use quizzes, games and other reward/recognition
ploys to test the effectiveness of awareness messaging (see "Teaching
Tangible Lessons," this page). Twenty-three said they hold live events
explicitly for the CEO or board of directors.
We asked respondents to rate which areas of the business benefited most
from their awareness efforts. By a nearly 2-to-1 margin, respondents
cited reductions in operational risk (to employees or the business) over
other risk areas such as customers or reputation and corporate or
business-unit growth. This seems plausible, since the area of
operational risk is perhaps the lowest-hanging fruit for awareness
programs, the place where CSOs can most easily demonstrate benefits.
It is reasonable to infer that our survey may have self-selected
believers in awareness activities. Still, the results show that the
development of awareness programs is a growth sector. Especially worth
noting in that regard is the high number of efforts that are either just
getting going (18 percent) or have been running for fewer than two years
(27 percent). Apparently, most of you have now moved beyond bemoaning
ignorance and are now spreading enlightenment. Teaching Tangible Lessons
Will Pelgrin Director, Office of Cyber Security and Critical
Infrastructure Coordination, State of New York
Awareness promotion strategy: Hands-on tests
Will Pelgrin says he was the kind of child who had to burn his finger on
the hot stove before he understood his mother's warnings not to touch.
"I'm sort of tactile in my approach to learning," says Pelgrin. "Until I
touched it, I didn't really learn the lesson."
So, to recap: When it comes to learning lessons, listening is good, but
experiencing is better.
Believing more people are like him than not, Pelgrin values the
importance of a good tangible lesson. This led him to concoct an
innovative awareness exercise in the spring and summer of 2005, when
phishing was the scourge of the moment. "One thing I was concerned with
was, you know, we send out advisories all the time, we send out alerts,
we send out white papers. Were they resonating with the individuals I
sent them to?"
Phishing's mechanisms were not as broadly understood then as they
eventually became, and awareness defenses against itthe immune response
to social engineeringweren't fully developed. Pelgrin's team had been
working to spread the word in the usual ways. To test the effectiveness
of his antiphishing campaign, he got permission to simulate a phishing
attack and aim it at 10,000 New York state employees across five state
agencies. "I wanted to see if we could make a bigger impact by
demonstrating [the dangers of phishing] versus just [issuing] advisories
saying here's what will happen if you fall prey to it."
In practical terms this meant crafting a phishing-style e-mail intended
to trick recipients into surrendering their user IDs and passwords. The
e-mail, purporting to come from Pelgrin's own agency, said that the
state had just purchased a "password-checker" software program that
could evaluate whether users' passwords were good or bad, and that it
needed their access information in order to do its work.
"I figured this would be really blatant, but also somewhat enticing as
well. It was a fake URL; it came from, allegedly, our [information
security office] here, but the actual e-mail address was not the correct
one. So if people were doing due diligence, we gave them absolute hints
throughout. We didn't want to have it so foolproof that there was no
opportunity for someone to sit back and say, Wait a second, something
else is going on here.'"
The e-mail linked to a bogus webpage purporting to be an official state
document. Pelgrin's team coordinated with the Anti-Phishing Working
Group to make sure their design embodied the earmarks of a
state-of-the-art phishing attack. The document included a form asking
users for their IDs and passwords. As soon as a recipient placed his
cursor inside either of the dialog boxes on the form, it was assumed he
had fallen for the scam and the exercise automatically ended. "We didn't
want anyone thinking we were [actually] going to capture secure or
sensitive data."
(There's this weird double-negative thing at work here: A fake phishing
e-mail goes out intended to fake-fool users by sending them to a
fake-fake website where they end up being not really entrapped.)
According to Pelgrin, 15 percent of the 10,000 recipients fell prey to
the simulated attack. Users deemed to have failed were sent to a brief
online tutorial he authored on how to recognize a phishing attack; they
were also shown a video on phishing from Microsoft and then presented
with a quiz inviting them to view 10 websites and decide which were
genuine and which were fake. (The quiz is available from Mail Frontier
at www.sonicwall.com/phishing.) "I wanted this to be a very warm and
fuzzy approach to learning," Pelgrin says.
Besides his enthusiasm for demonstrative learning, Pelgrin also extends
his awareness work beyond New York to other states and government
agencies, both through informal networking activities and through his
chairing of the Multi-State ISAC (www.msisac.org), which hosts a Cyber
Security Awareness Toolkit and other resources. Building Key Alliances
Greg Halvacs VP and CSO, Cardinal Health
Awareness promotion strategy: Get decision-makers involved
Greg Halvacs is a relationship builder. Just about every good thing that
happens for Halvacs' security program grows out of the strong
connections he's made with key people in the business. For example, when
he headed up global security at Kraft (he joined Cardinal in April), he
says, "I built strong relationships with quality [control]. Because
nothing got done at Kraft unless there was a quality process [involved].
So getting the senior vice president of global quality on board and
sharing, like on issues around the whole area of food protection, was a
big win."
But Halvacs doesn't stop with top functional executives; he also works
to create deep linkages across the entire organization. At Kraft, which
has operations in 152 countries and at hundreds of sites, Halvacs
identified and recruited between 300 and 400 "site coordinators," whom
he empowered to be his local emissaries. (Note: Halvacs is a member of
the CSO Executive Council.)
"We trained them on the basic elements, the basic X's and O's of
Security 101," he says. "Because what I've found is that you'll never
have a large [security] organization, so you have to empower the field
and show them what they can do to prevent things." For example, while at
Kraft he published a simplified field guide on how to handle
investigations without needing someone from global security to parachute
in (though, of course, there was a soft-sell bailout: "And if you need
help, call us").
"Driving programs through the site coordinator is key so that there's
[local] ownership. And the mantra of the day for uswhat I pushed [at
Kraft] and now at Cardinalis to try to build self-sufficient programs.
Give [functional leaders and site management] the information they need
so they can make the best decisions," he says.
While CSOs often talk about creating a "culture of security," Halvacs
recognizes that the diversity of internal organizations suggests that
security programs have to exist in, and be transportable to, many
different cultures. "Everybody has a different need and a different
spinwhether it's a sales office or whether it's a manufacturing facility
or a corporate office," he says.
Awareness programs can reach beyond the enterprise to touch suppliers
and other trading partners. "At Kraft we did the same thing with our
suppliers and comanufacturers [as we did internally]. We built awareness
in baseline [programs] and standards that they had to follow. And we
allowed them to plug in to our training and awareness resources," he
says. Although imposing internal standards externally can be politically
delicate, Halvacs says that "because we were very important customers of
theirs, they would basically bend over backward." Again, his strategy
was to have Kraft executives in the quality group, as the substantive
owners of the supplier relationships, drive the third parties'
compliance with global security's standards.
Asked what he thinks the "killer benefit" of awareness benefits is,
Halvacs alludes to a core CSO challenge: getting key decision-makers to
respond appropriately in a potentially volatile situation. "It's knowing
when to pick up the phone when they get in trouble, from the very first,
and not screwing something up and shoving it under the rug. [It's
getting] the light to come on when they're in the middle of the
situation," before it spirals into crisis. "That, I think, is the
biggest bang for the buck," he says.
Halvacs says good awareness programs can help drive home to senior
management the ROI of proactive security initiatives. He cites
background screening and drug testing. "Those are real numbers, you
know, because the government says [drug abuse costs a business] anywhere
from $10,000 to $12,000 per employee" annually (in health claims, sick
time, workers' comp and on-the-job injuries). Adding drug testing to
preemployment background screenings can save a business $1 million a
year for every 100 high-risk applicants it doesn't hire. "You can really
show the ROI, or cost avoidance," Halvacs says.
So, how would he advise someone just starting an awareness program? "I
would definitely do some due diligence and work at the high levelthe VP,
senior VP level. Ask what are the needs in their organizations, what's
keeping them up at night. I think, more than anything, it's building
relationships at the top," he says. "Really, the key word is
partnership." Getting Started
Cherry Delaney Coordinator of Security Awareness and Outreach, Purdue
University
Awareness promotion strategy: Divide and conquer unruly constituencies
When launching a security awareness program, you may find it hard to
know where to begin and harder still to stick to your strategic planall
that flagrant lack of awareness crying out for remediation! Cherry
Delaney, Purdue University's coordinator of security awareness and
outreach, faces the tug of competing priorities on a daily basis.
Delaney, a 10-year IT veteran who is just eight months down the road
toward creating the school's first cybersecurity awareness program, is a
lone ranger patrolling an uneasy range. "There's just one of me," she
says. And Purdue, based in West Lafayette, Ind., is like other
universities, committed to traditions of open inquiry and free-flowing
information.
Academic culture is thus a double-edged sword that presents special
challenges to a security program. "That is a problem. We do really try
to stay open," acknowledges Delaney. "And so hackers, or whoever, are
hitting us harder than [they do] corporate sites, because we don't nail
things down; we don't shut down as much as [businesses] do to control
things."
Add to that the regular turnover of significant percentages of the user
communitystudents, staff and faculty who come and go with each new
semesterand you have awareness issues of extra complexity.
As with any unbegun awareness program, there's no wrong time to start
one. But, in Purdue's case, why now? "We had a breach of Social Security
numbers last year," says Delaney, "and that really heightened [the
interest in improving awareness]. Making national headlines is not a
good thing."
That Purdue breach, along with other well-publicized data mishaps in
both government and the private sector, got people tuned in much more
urgently to the fact that Purdue "needed to have some kind of marketing
communication and training in awareness." Moreover, Indiana, like many
other states, recently passed legislation governing Social Security
disclosure and breach notification, placing new liability on
institutions of all kinds.
Delaney's launch strategy has been to address the university's three
blocks of usersstaff, students and facultyone constituency at a time.
She chose to start with university staff, in part because they, more
than students or faculty, would be subject to the state's new
data-handling requirements. Plus, after nine years spent in Purdue's IT
function, Delaney is well-acquainted and has influence with that group.
"It's not that I'm doing nothing for students and faculty," she says.
It's just that she's trying to remain focused on first things first and
not allow herself to be run in too many directions.
In getting the word out about security priorities, Delaney relies on
departmental luncheons, webcasts, podcasts and low-cost campuswide
publicity (pitching security-related stories to The Exponent, Purdue's
daily student newspaper, and Inside Purdue, a publication for faculty
and staff). In October she held a staffwide Security Awareness Month,
featuring daylong presentations on the most urgent data security issues:
encryption, data security on the road and working from home, information
classification and the operational requirements of the new state
regulations.
One challenge is communicating with her various audiences in terms that
will resonate with each. "You have different levels of expertise you
have to talk to," she says. And not only expertise but frames of
reference. "I mean, not as many staff people are going to be on
Facebook.com [a social networking site popular with collegians] as
students. So you've got different issues, depending on the demographics
of the people you're trying to reach," she says.
Faculty members represent perhaps the toughest nut to crack. They enjoy
plenty of authority and autonomy. For that reason they are a little like
lawyers or physicianstwo famously tough groups to domesticate to habits
of right behavior that may seem in conflict with their sense of mission.
That reality makes it clear why Delaney might want to get her game face
on by tuning up with the friendly staff.
Lew McCreary, CSO's former editor in chief, is a member of the Content
Expert Faculty of the CSO Executive Council.
-=-
Ideas from Awareness Survey Respondents
* Live events help lessons sink in. Hold monthly brown-bag awareness
lunches for departments or remote facilities.
* Stay in people's faces: Publish a monthly newsletter on current
security threats and issues. Report security metrics, both good and
bad.
* Find ways of expressing the cost-avoidance benefits of improved
security. For example, put a dollar amount on fewer incidents and
shorter recovery times.
* Have the CEO and other top executives attend security Q&A meetings
(and have them take some questions). Make sure important security
memos go out under the CEO's name.
* Have direct contact with employees. Manage by walking around!
* When new threats emerge, act quickly to inform the enterprise.
Demystify but don't scare.
* Make awareness initiatives vivid so that they are felt on a personal
gut level by individual employees.
* Engage in multimedia education: posters, online tutorials, live
events, podcasts.
* Focus on high-value awareness initiatives: loss-prevention in retail
businesses, counter-competitive-intelligence strategies in
research-rich environments, data privacy in financial institutions.
L.M.
Copyright 2002-2006 CXO Media Inc. All rights reserved.
Received on Thu Nov 9 00:10:36 2006