If you want your security education program to be both successful and resilient, six key steps will help you get there:
Step 1 – Define Your Burning Platform
Before you define what is at risk, you need to identify the ultimate reason for implementing a security education program in your organisation. Ask yourself—what is our burning platform? This is essentially the crisis cyber (and perhaps even physical) security event that drives your overall desire to educate employees. For example, in a data and customer-centric organization, this might be the mass exfiltration of customer data.
Then, align this burning platform statement back to your overall business strategy objectives—how will your security program help realize the broader business goals?
Step 2 – Identify Your Risks
Security education pivots around people. Like any good security program, you need to map out the key risks to your business, with a focus on people and which groups are most susceptible. You can identify risks through numerous means, including surveys, interviews, analysis of existing training or support desk data, existing risk assessments, and existing threat detection and response data.
For example, if your burning platform is the mass exfiltration of customer data, then one of the key people-related methods of this occurring is phishing and social engineering, and the most critical groups to target are people with financial and/or administrative access.
Define why this is a risk, what measures you currently have in place and where your gaps are.
Step 3 – Map Out Your Campaigns
Now that you know where your gaps are, you need to map education campaigns to risks. Essentially:
- What should people learn? These become your education topics.
- How will you package these topics into bite-size education campaigns?
- Which risks do the campaigns or topics align to?
- How will you get the message out? What communication channels will you use? (Hint: Use everything at your disposal and reinforce the message regularly.)
Step 4 – Define Your Success Metrics
Lots of people skip the step of mapping out their success measurements, but it is important to show progress and retain ongoing support of your education program from your program sponsors.
There are two types of success metrics—primary and secondary.
Primary success indicators are measures that demonstrate a direct impact on the desired change, the person’s understanding and/or their mentality. For example, you may develop an education campaign around secure coding, and the goal is to reduce high and critical-rated vulnerabilities in your in-house applications. One way of measuring this is a code vulnerability scanner. Before you implement an education campaign, you take a baseline of coding vulnerabilities. Then at regular intervals, you measure the type and number of high and critical vulnerabilities. Primary metrics are often hard to define and measure in security education, as there are usually many variables that contribute to change and behavior.
Secondary—or vanity—metrics are those that indicate progress towards the target state, but they don’t ultimately validate the goals that have been achieved. For example, in a secure coding education campaign, you would measure the number of participants against the total number of developers in your organisation. It doesn’t prove their behavior has changed, but it shows that you’re engaging the right people.
Step 5 – Get Funding
You have now established why, how you’ll deliver and how it will be measured—the final task before commencing is to define a multi-year program plan, resourcing and funding. This is where core project management skills come into play.
Think about the skills your team will need and identify any gaps. Also think outside the box—supplementing a technical team with graphic designers, change and communications specialists will serve you very well. If you can’t afford a dedicated designer or learning module developer, look to the gig economy! Websites like Elance and Freelancer.com allow you to hire from around the world at varying hourly or fixed price rates (and—fair warning—varying quality). Often, education materials like content for posters and graphics aren’t sensitive data and can be shared externally—but always ask your contractors to sign an NDA anyway.
Step 6 – Implement
Phew! Congratulations on getting the funding—but the big work is still ahead. Now you need to help your people make true behavioral change.
For each campaign you identified, you’ll go through a process to develop the campaign materials, execute, report on success metrics, review your learnings/refine/improve and ensure you reinforce the messaging regularly.