Adding People to the Security Infrastructure
Defining security ownership and making security awareness a managed process are two of the five steps organizations can take to address the "people aspect of security" — a missing component in many security awareness programs.
Khalid Kark, CISSP, CISM
Forrester Research Inc.
Security awareness demands have changed significantly during the past few years — from simple security guidelines to programs that seek to balance internal vulnerabilities and external attacks — due to frequent and rapidly changing threats. To add more fuel to the fire, many organizations have to consider compliance with a myriad of regulatory requirements when delineating their security efforts. For instance, current regulations such as the European Union (EU) Directive on Data Protection of 1995 and U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996 include specific requirements organizations have to meet to ensure the safety and privacy of information.
Regardless of the external threats and regulatory requirements companies must take into account, organizations with well-established security programs know that security is a function of people, processes, and technology working in concert. Unfortunately, the people aspect of security is often ignored in some companies. To bring people back into the security equation, organizations should establish a security awareness program that meets their needs and is in compliance with internal and external regulatory responsibilities.
THE FIVE STEPS
As part of their work, internal auditors review existing efforts and recommend best practices to enhance a company's security landscape. To help companies promote the implementation of security awareness programs that address the impact of stakeholders on companywide security efforts, auditors can recommend that companies establish a security project owner, do preliminary research, create modular program content, communicate program policies and procedures, and implement a managed process for the security program. When combined with existing policies and procedures, these five steps go a long way to enhance the organization's level of compliance with internal and external regulations.
1. Define Ownership
As with any other project, if the ownership and accountability of the program are not defined clearly from the beginning, the program may not operate as effectively as it should due to a lack of clear leadership. Although IT departments are often made responsible for the security awareness program, organizations should keep in mind that:
IT does not have to be the owner. Some organizations make the mistake of treating security awareness as another IT project, which can result in a lack of ownership and buy-in from other business units and the creation of IT-centric awareness sessions. Even though an IT department could be one of the program's primary contributors, it does not have to be the primary owner. Other functions, such as communication, marketing, or human resources, can be responsible for the program. Regardless of what department is in charge of this effort, auditors should recommend that program owners be given access to available internal resources to create program content that meets corporate security needs.
Program managers do not have to be technical. Because many security projects are owned by IT, many executives believe the security awareness program must be technical in nature and the project manager should have a technical background. However, security awareness programs that have nontechnical program managers can be just as effective, because technical issues could be communicated in terms that are understood easily.
They must set success criteria and program accountability. The company must be responsible for defining both the goals of the program and the criteria for success, while setting parameters for staff accountability.
2. Do Your Homework
Some organizations purchase prepackaged awareness solutions to expedite the amount of work needed to implement a security awareness program. Although these solutions may cut back on the time needed to establish IT security controls, the end result could be the creation of a program that is based on an incomplete image of the current security landscape, rather than a program that takes into consideration all security needs. Whether organizations choose a prepackaged solution or develop it internally, they have to do the initial homework by:
Determining organizational needs. Organizational needs can stem from regulatory mandates or the need to boost awareness of high-risk areas. Regardless of what these needs are, they should be stated and developed clearly with input from key business units within the organization. Statements such as, "ensure 95 percent of employees are aware of and can respond to social engineering attacks," define both the need and criteria needed to measure success. Statements such as, "making all employees aware of internal and external threats" or "awareness must ensure all corporate assets are protected," do not have a clear focus or offer any substantive need.
Assessing external threats. During the past few years, external threats have surged: Hackers are getting smarter and competitors are getting more aggressive. Threats including phishing and social engineering affect many companies in today's environment. In addition, if the organization works in a competitive industry, competitors might look for opportunities to compromise systems and gain competitive information. As a result, auditors should recommend that companies perform a risk assessment to determine the kinds of threats that could affect IT systems and to identify the kinds of security controls needed to hinder external attacks and diminish vulnerabilities.
Getting management's commitment. Management supports projects by providing financial, political, and time commitments. Awareness projects require one more commitment: Managers must "walk the security talk" by committing to the program before it is launched. For example, if a senior manager circumvents the organization's security controls, employees are likely to disregard the need for security.
Reviewing existing policies. Organizations must ensure that the awareness program does not contradict existing corporate policies. In addition, the program does not need to rehash everything mentioned in a policy statement — it should identify two or three key risk areas and focus employee awareness on them. For example, although an acceptable-use policy may cover several areas, the awareness program may focus on e-mail and Internet use, and software downloads.
3. Create Modular Content
The best way to curtail employee attention is by presenting irrelevant information — some awareness topics apply to all users within an organization, while others may apply only to a subset of users. Awareness content should be modular and presented to similar audiences so that only relevant topics get communicated. As a result, effective security awareness programs should:
Define the audience. Audiences must be defined and segmented to deliver focused security awareness to appropriate people within the organization. Using spreadsheets with each awareness topic and appropriate audience can help to accomplish this task. The spreadsheet should take into account the organization's structure and individual circumstances.
Consider including non-employees. Frequently, organizations assume that the only audience appropriate for corporate awareness programs is employees. The target audience of the awareness program may also include consultants, vendors, external staff, business partners, and others who interact with the organization or have access to corporate assets.
Develop or acquire modular content. Many vendors offer security awareness content, but few offer content that is customizable. Whether the security awareness content is developed internally or is acquired, it should be customized to meet the exact needs of the organization. For example, the content could be presented through different mediums, including print, presentations, Web sites, flyers, or posters, to enhance its impact.
Take advantage of new employee orientations. New employees are the most attentive and impressionable audience: They are highly motivated to learn and fit into the new culture. Therefore, new employee orientations are the perfect opportunity to demonstrate the organization's commitment to security and are a good time to get a written acknowledgement from employees that states they have read and understood corporate policies.
4. Communicate Effectively
Effective communication means adapting the content and delivery of information based on the nature of the message, current environment, culture, and audience. Once a message has been delivered, organizations need to find creative ways to reinforce the message through other means of communication. Key criteria for effective communication include:
Having a consistent message. Because conflicting messages lead to confusion and can be counterproductive, all messages from chief executive officers, executive and senior managers, line managers, and awareness trainers have to be consistent.
Starting from the top. Management has to buy into the security agenda before others. It is generally a good idea to start awareness at the management level. In addition to regular security awareness activities, management must understand its governance responsibilities, such as monitoring for security violations and ensuring compliance to corporate policies.
Marketing security awareness with lots of images. Creative, colorful, and exciting imagery and catchy tag lines can bring excitement to the awareness program and have a more dramatic impact than words alone. For example, using newspaper clips that illustrate the disrepute and humiliation caused by a security breach will have a greater impact than simply informing employees about the increasing number of security breaches.
Keeping it real by using analogies and stories. A complicated message can sometimes be distilled into a simple analogy. For instance, security awareness is like a driver's license: To get a driver's license, a person must take an exam that demonstrates he or she knows the rules, which may help to reduce car accidents in the future, but not completely eliminate them. Analogies and stories also could help when dealing with highly complex subjects that require technical skills, such as network monitoring.
Harnessing the power of "water-cooler" talk. A great story travels a long way on its own. Consider giving rewards to employees who, for example, inquire why someone is walking around in an area where he or she doesn't belong or isn't using his or her corporate identification badge.
5. Create a Managed Process
Delivery of awareness to all users does not mean that the job is done. Effective security awareness is a process that needs continuous management and refinement to address the external environment and changing business needs. To make it a successful process, organizations should:
Assess changes in internal needs and external environments. Organizational requirements vary over time, and it is important to keep track of those changes and refine the awareness program accordingly. But, changes in external threats may require modifications in the content of the awareness program. Technological developments, such as the popularity of BlackBerries in the corporate environment, may require additional awareness measures.
Measure performance. What gets measured gets done. Organizations need to define key measurements (e.g., the number of policy violations or security incidents per month) and track their performance over time. Performance measurement also could include feedback on which communications were most effective or which content areas need improvement. Companies should keep in mind that the goal of awareness is to influence user behavior in the long term, and behaviors take time to change.
Improve the awareness process over time. By continually assessing changes in core business needs and in external environments, and by taking good awareness program measurements, organizations can identify the areas that require improvements. The improvements can be small, such as changing a few sentences in a document, or big, such as launching a whole new awareness campaign on wireless security.
DISREGARDING THE PEOPLE ASPECT OF IT SECURITY
The five steps above can help organizations develop more effective and efficient IT awareness programs that address the people aspect of security. Not addressing this important aspect may hinder the company's IT security efforts greatly. Below is a list of the most common problems organizations could face if this important aspect of security is disregarded:
More frequent and costlier security incidents. According to a recent by the U.S. Federal Bureau of Investigation, online-based attacks cost organizations more than US $32 million in total losses last year in the United States alone. A security-aware organization is more likely to detect incidents earlier and respond to them more appropriately. This leads to fewer security mishaps and a much lower cost per instance.
Damaged reputation. Security breaches of personally identifiable information now have to be made public and can be a huge blow to an organization's reputation. Effective security awareness can help protect the organization's reputation and enhance its brand by demonstrating to customers and stakeholders that the organization has an interest in protecting the data entrusted to them.
Noncompliance with legal and regulatory requirements. HIPAA, the International Organization for Standardization 17799 standard, and EU Directive on Data Protection all require information security awareness for compliance. If auditors do not find the security awareness program to be effective, the organization will fail its audit.
Being unable to take disciplinary or legal action against violators. Lack of security awareness programs can lead people to defend security violations by arguing that they were not informed of corporate policies. Hence, a security awareness program can help organizations have a foundation by which to punish offenders. Another reason to develop a security program is the legal principle of "vicarious liability," which holds companies responsible for the misconduct of their employees — even if the employer is completely unaware there is a problem. A security awareness program can help companies implement controls or purchase software that monitors an employee's online behavior and alerts senior managers of any security violations.
Legal and liability issues. A corporate policy has no legal standing if people can prove they were not aware of it — arguing that the organization did not exhibit due care in protecting its own assets and its customers' information assets. An effective security awareness program demonstrates a corporate concern for security and highlights processes for ensuring the adequate protection of information assets.
As exemplified above, disregarding the role people play in an organization's security awareness efforts can have serious repercussions that extend beyond financial losses and downtime of IT systems.
Although organizations continue to spend millions of dollars on technical solutions and process improvements, many are still vulnerable to external and internal security breaches. While, security is a function of people, processes, and technology working hand-in-hand, oftentimes, the people aspect of security is disregarded. The five steps above - establishing a security project owner, doing preliminary research, creating modular program content, communicating program policies and procedures, and implement a managed security process — provide a starting point to help organizations develop effective and efficient security awareness programs aimed at informing company staff, vendors, partners, and stakeholders of the company's commitment to security. In addition, auditors could use the five steps above when providing recommendations to organizations that fail to incorporate security practices that address one of the three most important aspects of security — people.
Khalid Kark, CISSP, CISM, is a senior analyst for Forrester Research Inc., where he focuses on information security policy and practice, including security awareness programs, information security roles and reporting relationships, security strategy, metrics, best practices, and compliance activities. Prior to working in Forrester, Kark worked for FM Global as a senior security architect, as well as with Fortune 500 companies developing and implementing effective information security programs and ensuring compliance with regulatory standards.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>