5 Quick Tips To Strengthen Enterprise Security Advocacy

Cyber security is a holistic exercise that depends on the efforts of the security team, including CISOs, CSOs, VPs of Information Security, along with other lines of business (LOB). Critical security information must be passed along the proper channels – outward to the employee base and upward to the C-Suite and board of directors. That means everyone must have a knowledge base around cyber security. This doesn’t mean they must be technical wizards, but awareness could be key in preventing a pervasive cyber-attack.

To be successful, it is essential to overcome the challenges surrounding security awareness, which includes negative perceptions that security is complicated, too technical or even boring. Once these negative perceptions have been addressed, the team can then move on to fundamental best practices that may not necessarily cost a lot but will bring immeasurable benefits for the long-term.

Here are 5 best practices you could consider:

1. Agree on the definition of 'critical.'

In any endeavor, it is best to begin with the right intention and mindset. This is especially true in raising security awareness. Security expert Jamal Hartenstein suggests, “Begin with a thorough understanding of the company culture, size, organizational structure, and business objectives. Use these factors to get agreement from C-suite on the cyber security strategy, communication plan, and the definition of ‘critical,’ and then, adhere to the plan when passing critical security information to employees and the C-suite.”

2. Make your trainings fun and short.

It is all about human behavior. While security is definitely a serious business, the process of passing critical information can be done in a much lighter and engaging way. Do not attempt to teach everything in one session. Space out your trainings to keep it short and use materials that elicit a response such as memes or infographics. Designing a contest wherein employees will be given a chance to compete with each other in a friendly manner will be helpful too.

3. Prioritize topics and have them in separate sessions.

Security is a wide topic and covers many different aspects and dimensions. Topics like password security, access control, mobile device security and threat response should be scheduled in separate sessions. The audience of your training can be grouped accordingly as well. Extend the training to everyone in your organization, not just IT leaders or staff, but have separate sessions for different lines of businesses to set the right context for the training and have a more productive outcome.

4. Calibrate your topics according to what will yield the best results.

Cyber security best practices for employees and the C-suite are fundamentally different. In designing your training program, calibrate your topics according to what’s most suitable to your audience. Long-time security practitioner Doug Cahill has this advice: “Employees need to be regularly reminded about the appropriate and vigilant use of email, the web, and cloud apps and how they relate to spear phishing attacks, bogus impersonation emails or data loss. On the other hand, the C-Suite is most concerned about risk management so lining up topics which include identifying the organization’s most critical assets and putting strategies in place to protect them including access controls and monitoring, will be most helpful.”

5. Start from the top. The C-suite is your ally.

Dealing with the C-Suite requires a unique approach. What should be delivered to the C-suite, at what frequency, and how depends on a few factors. Jamal Hartenstein offers this approach: "Where the critical security information comes from and what governance bodies it has passed through before reaching the C-suite is significant. Security advocates must ensure proper channels have been consulted or informed (especially if a RACI can be adhered to). The C-suite ought to receive a concise dashboard with appropriate indicators on the criticality, including descriptions of business risk and impact."

"The frequency of updates should either be immediate/ad hoc, based on criticality, or at systematic and continuous periods in order to provide the C-suite with a reasonable level of awareness that the organization agrees they would be comfortable possibly having to share with attorneys or the media. Be forward thinking as to how your information-sharing practices now can impact the business during a cyber-event in the future," Hartenstein adds.

He further concludes: "Not all employees need to know everything. Need-to-know applies to the passing of critical security information just as it applies to permissions/rights to access data. The best practice begins with data-flow diagrams identifying what data you have, who has access to it, and where the data goes. Use data-flow details to determine your communication plan to employees with regards to type and criticality of the security information. Be cognizant that an enterprise-wide email to all employees can sometimes “somehow” make front page news. For this reason, critical security information is carefully crafted for target employee audiences. Generally, informing of the threat and the consequences is most sensible. Omitting details on the vulnerability related to the threat also makes sense, unless you are addressing the team who are responsible for remediating the criticality of the matter at hand.”

See Related: "Security Advocacy: A Must For Today's Enterprise"