The Goal of a Security Awareness Program

I've been at the 11th General Meeting of MAAWG in Washington, DC for the past few days. I can honestly say that this, my 8th MAAWG conference, is the best one that I have been at yet. In addition to MAAWG members, representatives from the London Action Plan (LAP) and the Contact Network of Spam Authorities (CNSA) were also invited. Having all of these groups at the conference provided some great insight and perspective as to law enforcement and anti-spam efforts in the UK and the EU. There are some invitation only meetings between MAAWG, the LAP, and the CNSA on Thursday which I am hoping to will lead to action items for continued cooperative work between the organizations as we move forward.

So, in keeping with the theme of the month today's topic is understanding the goals of a successful Security Awareness Program. We've already discussed why organizations of all types need an SA program, so now that you understand this, the next logical step is to understand what the goals of that program should be. If you go forward with implementing a program without a clear goal in mind, it will surely fail.

One of the most important things to remember about implementing an SA program is that security is a journey, not a destination. There isn't a point where you finally say, "We're here" and stop. The process of your SA program needs to continually evolve and change to meet the needs and requirements of your organization.

The end intent (your goal) is to create an overarching security posture so that the thorough assessment of risk and potential security issues become larger parts in corporate decisions and initiatives.

So, how to achieve this goal? There are 4 main steps:

1. Build interest in Security Initiatives Internally

In the end everyone has to be on board with whatever security initiatives that are enacted. In order to make sure everyone is on board the implementation needs to not take away from someone's ability to do their job efficiently. Additional burden means additional resistance. Even just one person who decides to undermine the integrity of your security position can cause a breach of confidential information of any kind.

2. Educate! Educate! Educate!

Make sure that employees understand not only what policies and procedures are being implemented (and where they are posted on your corporate intra/extranet) but why they are important and why they should care. Policies that are not understood are less likely to be followed and less likely to receive continuing management support.

If done properly, good security procedures can actually make you more efficient!

3. Communicate! Communicate! Communicate!

Regularly follow up on implemented procedures to make sure that your SA program is not "set and forget." Remember this needs to be a process that evolves as regularly as your business does. Otherwise its policies and procedures will become out of date and irrelevant which leads to the policies not being followed.

4. Repeat

Start back at Step 1 and do it all over again! This is the best way to reinforce the program and its importance to the organization. It's easy to forget something you just hear once. It also removes some of the urgency if it is not regularly followed up on and reinforced. Continually repeating these steps will not only show continued urgency and support from the organization, but will give better chance to ensure that your SA policies are better ingrained into your corporate culture at all levels.