In Part 1, we covered the basic design and structure of a NIST SP 800-50 aligned SAT program. You can read it here in case you missed it. In Part 2, we will focus on what it takes to successfully implement and maintain a successful security awareness and training program, from conducting the needs assessment to post-implementation.
According to 800-50, the needs assessment should answer the following questions:
1. What awareness, training, and/or education is needed?
2. What is currently being done to meet these needs?
3. How effectively is the current program meeting these needs?
4. What are the gaps between the needs and what is being done?
5. Which needs are most critical?
In order to be effective, the needs assessment must involve key personnel such as: executive management, security personnel, system owners, system admins, IT support, operational managers, and system users. A variety of techniques can be employed to conduct the needs assessment including: analysis of metrics related to security awareness and training, review of findings/recommendations from oversight bodies or program reviews, and analysis of security events that indicate a need (see NIST SP 800-50 for a full list).
Strategy & Plan
With the needs assessment complete, you can shift your focus to the development, implementation, and maintenance of the security awareness and training program. The plan is a working document that contains strategic elements like:
· Scope of the security awareness and training program
· Roles and responsibilities of personnel who should design, develop, implement, maintain, and oversee the security awareness and training program
· Goals, learning objectives, and deployment methods for each aspect of the program
The final step in the planning stage is to determine the implementation schedule. In some cases the security awareness and training program may need to be implemented in phases, so it’s important to decide which initiatives to schedule first. Some considerations include: availability of resources, current security awareness and training program state, organizational impact, and critical project dependencies.
Of course, nothing happens without funding. The security awareness and training program must receive adequate resources, financial and otherwise, if it’s to succeed. Budget requirements can be expressed as a percentage of the IT budget, allocation per user per role, or explicit dollar allocations, among others. It’s worth noting here that it’s the CIO/CISO’s responsibility to overcome any funding shortfalls. For one reason or another, the organization may not always be willing or able to allocate proper funding to the security awareness and training program. In this case, a balance between the need for security awareness and training and available resources must be achieved.
SAT Program Material
Effective security awareness and training materials are developed with the following questions in mind:
1. What behavior do we want to reinforce?
2. What skill(s) do we want the audience to learn and apply?
The material should be interesting, current, and relevant while also making all individuals aware of their shared security responsibilities. There are many topics and sources for developing SAT material: see NIST SP 800-50 and 800-16 for detailed insights.
The security awareness and training program implementation plan should be fully communicated to the organization in order to achieve support and buy-in. As stated in NIST 800-50, this includes expectations of management and staff support, program results, organizational benefits, funding issues, schedules, and completion requirements. Awareness material can be delivered in many ways—some obvious and some not so much: posters, email blasts, videos, in-person sessions, regular security tips/alerts, award programs, desktop backgrounds, etc. Training material requires some level of interaction since the goal is to build skills and competencies. Some common techniques include interactive video training, web-based training, and on-site training. Before deciding on distribution methods, consideration should be given to organizational culture, structure, resources, and mission/business functions.
As with everything we do, continuous improvement should always be the goal. This is especially true with security awareness and training because of its role in effectively managing organizational cybersecurity risk. Processes must be enacted to monitor effectiveness and compliance with the SAT program. These processes should accommodate the distinct needs of all intended users: CIO/CISO, security program managers, HR, training departments, functional managers, etc. This necessitates the use of metrics to give meaningful insights into the security awareness and training program’s performance.
Regular feedback should also be sought in order to identify opportunities for improvement. NIST SP 800-50 identifies several “program success indicators” of which you should be aware:
1. Sufficient funding to implement the agreed-upon strategy
2. Appropriate organizational placement to enable those with key responsibilities to effectively implement the strategy
3. Support for broad distribution and posting of security awareness items
4. Executive/senior level messages to staff regarding security
5. Use of metrics
6. Managers do not use their status in the organization to avoid security controls that are consistently adhered to by the rank and file
7. Level of attendance at mandatory security-related meetings/sessions
8. Recognition of security contributions
9. Motivation demonstrated by those playing key roles in managing and coordinating the security program
The security awareness and training program is a critical component of a successful cybersecurity risk management strategy. How is yours working for you? If you’ve not recently done so, it might be a good idea to review your SAT program against NIST SP 800-50 to ensure you’re doing everything possible to educate and train your organization’s users.