What should be in your first year of security awareness plan?

Every organization should have an annual security awareness program – but some don’t. Some businesses just continue doing what they are doing, not realizing that they could improve if they just stopped and re-assessed. If you are a Security Awareness Manager who is new to your organization and is preparing for your first year with the program, I am here to tell you that you don’t just have to do what your organization is doing, instead enact change. 

But, don’t just take it from me. Take it from this expert panel that I organized for our 28th Cyber Security Awareness Forum:

Ryan Healey-Ogden (RH) – Ryan is Click Armor’s Director of Business Development, he holds a passion for security awareness, education, and technology and how it relates to people. 

And myself, Scott Wright (SW), CEO of Click Armor, the sponsor for this session. Now, let’s get to our discussion on first year annual planning for security awareness:

1) What are the top factors that will determine the resources and activities of your annual Security Awareness Program plan?

SW: What works really well is to start by assessing the landscape, looking at things in detail around what are the opinions of people and what are the opinions of executives. Then we start defining what are the objectives and scope based on the assessments that we’ve had. Then we can look at what are the content areas that we need to prioritize. And we also want to set up communication channels because we need to let people know in advance what’s coming. 

Then, of course, deploying training and setting up reporting channels.

EG: It depends on what you are hearing. So I’m just creating an awareness program now, so a lot of the resources and activities that we have planned for this year are starting with the basics. But a lot of that also comes with conversations with those teams and with the people who have been in the company already for quite some time. So the managers who were or are in security, they help me dictate what is going to be in the program. It’s important to remember that what worked for your last organization, won’t necessarily work for your current organization. 

EO: I agree with Erin, leadership buy-in is super important, specifically on the security team because they decide the budget you are given.

 Other factors that determine the resources and the activities of your program plan are your company culture, the appetite for education, and the existing structures for internal communications. Is there an effective and efficient intranet? Does the company use Slack or Teams? Are people engaged? Are there other things going on in the company like, the forbidden word, layoffs? The macroeconomic conditions? If we’re asking them to do training, are people burnt out? Those things will affect how people take requests from the security team – or any other team. 

The last thing is your ability to build and manage relationships across the company and throughout the department. Your ability to take advantage of those existing programs, resources, and skill sets to identify opportunities for collaboration, automation, what already exists in the environment that you can utilize to inform the resources and the activities of your program.

ML: I would say besides leadership, which I would agree is very important, your messaging will decide what your program will be for the next year. You have to decide what messaging you’re going to do and what your core themes are going to be for the year – or at least for the first two quarters, because you will probably need to reassess anyways. 

And what are our priorities and what do we think? What are we seeing? People are exhausted. I think we’re all exhausted, both stressed. And I think it’s worth trying to work out how we can show that we’re working with people and we’re trying to help them as well.

2) What are the core topics that should be in your first year?

EG: It depends. But there are things that I think you should cover every single year. I think every year that you should cover phishing, social engineering, passwords, and multi-factor authentication. 

Then the other piece is that those should be spread out. I think everything is really important, but I think giving it to everybody all at once is going to be way too overwhelming. And you’ll figure out how to structure your content based on the level of security understanding and appetite, from the interviews that we talked about in the first part. So I think the basics are always important and the basics should always be repeated. But making sure that you add on it every time to make sure that you’re not redundant in what you’re saying.

ML:  If you’re talking about an embryonic security awareness program, so you’re not taking over from anybody else, listening is something that we forget hugely.  I will often say to even large organizations that I advise you just to go out and do some focus groups and then come back and do some more quantitative stuff. Which is why your security champions become very valuable.

What even your executives think your people need, might not actually be what they need. There might be something a bit deeper or they might be trying to do what you’re asking them to do, but they might be blockers. So, start with listening and hearing before doing anything else.

EO: Yeah, again it depends. It really depends on the environment you’re working with, especially if you are the first one developing the security awareness program. You want to evaluate the environment you’re in, which includes your own security team. How good is it?

What kind of configurations have they already put in place? What automations have they done? What policies are adopted that make your job easier? What makes the program more mature? What are you walking into? 

Your first year also might be more focused on projects than topics. Projects such as selecting a learning management system, revamping the annual training, and looking at what audit is requiring. If you really need guidance, ask your Threat and Response Team because they’ll tell you exactly what you need and you’ll know where to start. 

3) How do you adjust your plan for year 2 and beyond?

EG: Like I said, it’s fluid. We don’t know. We don’t know what’s going to happen in two. But, there is someone I know in the industry who has done a really good job of planning for a year or two and beyond. They have a virtual security academy that they change every year, and it’s an opt-in program. It’s similar to a security champions program, but it’s more informational. This helps them do a really good job of that year two and beyond planning because they are continuously stepping up their content to be something different every year and to be more advanced the next one.

EO: Again, our favourite phrase: It depends. What does your budget look like for the year? Are you allowed to hire contractors? Do you have access to technical program managers? And finally, how did the company and leadership react to year one? Were they satisfied? Are they asking for more?

–

Whether it’s your first or tenth year in a security awareness role, this expert panel gave some great insights into what should go into your annual planning. A lot of it depends on your organization, but always listen to your team members’ opinions, get executive buy-in, and focus on building relationships throughout the organization. If it is your first year, don’t be afraid to call for change. It’s up to you to take the right steps to create stronger protection for your business. If you’d like to learn more about first-year annual planning, check out the full session on our YouTube. 

Click Armor is the first highly interactive security awareness platform, with engaging foundational courses and 3-minute weekly challenges that employees love. We offer content on everything from security basics, phishing and social engineering to passwords and privacy.

Even if your organization already has a solution, there’s a high likelihood that some employees are still not engaging and are exposing your systems and information to cyberthreats. Click Armor offers a special “remediation” package that complements existing solutions that don’t offer any relevant content for people who need a different method of awareness training.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.