Cisco has jumped into the security awareness arena. I’m a firm believer in taking the time to educate your user community. An employee that is aware can be a powerful thing. Too often I have seen security professionals pontificate on the lost cause that is user education. I think that type of outlook does a massive disservice to the security industry as well as their respective users. To treat the end user as a blither idiot is failing that many of us suffer from. Admittedly I was once of that mindset.
To pull out that favourite cliche, security is only as good as the weakest link. So, to shore up your defenses you have to educate your users. This is by no means foolproof…a pain I have suffered too many times. Getting it done is a hard slog but, we as security practitioners cannot give up.
In order to move forward with a security awareness program of your own Mike Rothman from Network World has a list to help get you started:
1. Get buy-in from upper management. This is self-evident but if the CEO doesn’t believe, you don’t have a chance.
2. Appoint the right person to lead the charge. Cisco has a well-spoken CSO and a former public relations professional to spearhead the awareness strategy.
3. Conduct extensive research. You don’t know how to most effectively communicate to an audience if you don’t understand them. This is Marketing 101.
4. Build relationships. Engage influencers and get them telling your story.
5. Create security ambassadors. These are really evangelists who are passionate about solving the problem.
6. Identify the right communications vehicles. You need to be in the places where your folks hang out. Maybe it’s online, or town hall meetings. But don’t expect them to come to you.
7. Use credible sources. The CEO is a good place to start, but also make sure that all of your spokespeople are well regarded within the organization.
8. Keep your messages short and simple. If you have a thick manual, you can be assured no one will read it.
9. Use rewards and recognition. Yes – positive reinforcement is good. But I also believe in a public execution once or twice to show the company you are serious.
10. Make training companywide; no one is above the law. Everyone needs to understand and adhere to the policies.
[tags]Security Awareness, Cisco, Learning Management, Educate End Users[/tags]
