From zero to hero in one step

Information security managers, as a breed, are busy people.  The day-to-day job of keeping up with technology risks and security incidents leaves IT security training, awareness and education a much neglected area of information security, though most accept how important they are. 

However, with NoticeBored on your team, there’s time at last to make real headway.  Stop procrastinating and take the first step.  Kick-start your security awareness program and step from zero to hero with NoticeBored.  Now!

NoticeBored provides the impetus to get your security awareness program quickly up to speed and the creative energy to sustain the initial momentum.  There is no delay whilst you make an heroic effort to find  time to research and prepare awareness materials yourself, and no need to justify to management the additional budget and headcount for your own specialist security awareness author.  Just call on NoticeBored to bootstrap your awareness program, today.

We’ve been told “Security awareness, yes we tried that once - it didn’t work”.  The reasons for failure vary but the following are common:

• The ‘awareness program’ in fact consisted of a one-off training course style lecture, typically thrown together as a legal or regulatory compliance activity rather than a value-adding part of the business;
• The lecture, although well meaning, went over the heads of most of the audience and had no lasting impact - most people came away none the wiser and simply returned to their normal (insecure) daily activities.  Within a few days or weeks, it was all forgotten;
• The audience had to take time away from the day-job to attend the training(costing the organization money) and many of them resented the intrusion;
• Worst of all, since nobody really knew what the awareness activities were intended to achieve, there was no way to measure the success or otherwise.  If awareness is seen as an end in itself, this is typical.

It’s easy to poke fun at the traditional “sheep dip” approach to security awareness but much harder to suggest significant yet pragmatic improvements.  NoticeBored represents a genuine alternative, one that is proven to work well.

Your security awareness toolkit

The NoticeBored modules provide not only well-written awareness content specific to each security topic (the raw materials) but also, in a more general sense, the creative communications methods and ideas empowering you to reach out to and engage your colleagues (the toolkit).  The posters, presentations, mind maps, briefings and discussion papers, puzzles, checklists, screensavers, case studies, newsletters and mind maps utilize a breadth of awareness, training and educational techniques.  The ‘awareness activities’ papers provided in every module suggest new ideas to liven-up your awareness program and spread the good word about information security.

Just as with a carpenters’ toolkit, there are probably a few favorite tools that you will use every month and others that you bring out for particular purposes.  You may like, for example, to pick out and circulate some of the awareness materials routinely to employees but make the remainder available on request.  It’s good to have something in reserve to encourage people who are keen enough to want more.

Co-sourcing information security

Information security awareness is our specialism - it’s what we do.  Meanwhile, our customers continue doing what they do best - in other words a classic co-sourcing arrangement.  Drawing on our professional qualifications, focused research and experience, we generate and deliver top quality security awareness materials every month: our customers select and deliver appropriate materials to their employees using existing internal communications mechanisms.  We release information security people from the burden of finding and preparing suitable awareness materials, leaving them to focus on what’s important about information security in their local business context, and using their local contacts to deliver the awareness messages.  Security awareness generates financial benefits for our customers through reduced risks and improved controls, making the service extremely cost-effective (if you need convincing, take a look at our business case paper).

NoticeBored is a bit like having your own information security consultant on the team but at a fraction of the cost.  This is especially valued by our small- to medium-sized customers with over-stretched IT Departments (and that’s just the lucky ones who have someone doing IT!).

If you are already running a security awareness program, NoticeBored complements and breathes new life into your existing awareness activities.  It provides a wealth of fresh content but it’s really up to you how to get the best out of the service.  We think you’ll find our passion for the subject infectious. 

Engaging hearts and minds

Through consistent use of the security awareness program logo, the professional writing style and engaging monthly topics, NoticeBored materials build on each other month-by-month forming a recognizable campaign theme (‘branding’).  Every NoticeBored document, email, web page, briefing, training session/awareness presentation, case study seminar, poster, quiz and conversation with your audiences reinforces the security awareness brand. 

Communicating consistent messages through a variety of media increases the chance of reaching everybody in your organization, both directly through the NoticeBored materials and indirectly e.g. by stimulating people to talk about information security by the water cooler.  This is true multimedia professional communications - not just a few animated cartoon graphics!  The point is to get under their skins, to make information security a pervasive element of the corporate culture and motivate employees to Do The Right Thing.  We’re talking about building security in to the organization (not just to it’s IT systems).

Direct language, topical news stories and the odd a touch of humor keep the awareness materials relevant, useful and interesting.  In line with modern best practice in change management and employee communications, we actively solicit feedback comments and suggestions from employees rather than simply broadcasting at them.  Employee participation brings the whole campaign to life.  There are organized activities, prize competitions and even crosswords. It might be a deadly serious matter but, handled the right way, information security can even be fun!

Security awareness for compliance and accountability

Information security and-related privacy laws, regulations and standards specifically mandate information security awareness activities:

• ISO/IEC 27002, the international standard “Code of practice for information security management”, makes extensive reference to the need for security awareness.
• Section 164.308(a)(5) of HIPAA (US Health Insurance Portability and Accountability Act) states that the organization must “implement a security awareness and training program for all members of its workforce (including management).”
• Privacy acts such as the UK’s Data Protection Act and the US Gramm-Leach-Bliley Act (GLBA) typically insist that employees are made aware of corporate privacy policies and procedures.
• ISACA’s COBIT method states that “Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.”  Control objective PO7.4 (personnel training) is to “Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organisational goals.”, while objective DS7 (educate and train users) is all about security awareness and training.
• According to Rebecca Herold’s excellent security awareness book, US Federal Sentencing Guidelines recommend judges taking the following factors into account in sentencing:
• How frequently and how well does the organization communicate its policies to personnel?
• Are personnel getting effectively trained and receiving awareness?
• What methods does the organization use for such communications?
• Does the organization verify that the desired results from training occur?
• Does the organization update the education program to improve communications and to get the right message out to personnel?
• Does the training cover ethical work practices?
• Is there ongoing compliance and ethics dialogue between staff and management?
• Is management getting the same educational messages as the staff?
• Under the requirement to “Maintain a policy that addresses information security”, PCI DSS (Payment Card Industry Data Security Standard) requires organizations to “implement a formal security awareness program to make all employees aware of the importance of cardholder data security” [section 12.6] by the following means:
• “Educate employees upon hire and at least annually (for example, by letters, posters, memos, meetings, and promotions)” [section 12.6.1];
• “Require employees to acknowledge in writing that they have read and understood the company’s security policy and procedures” [section 12.6.2].
• Version 1.2 of PCI DSS requires organizations to address an  expanded list of examples of critical employee-facing technologies to include “remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)”.  Employees are required to acknowledge that they have read and understood the company’s security policy and procedures to “at least annually”.  [We strongly maintain that annual awareness/training activities are far behind best practice in the field, and urge PCI to mandate continuous awareness activities.]
• NERC (North American Electric Reliability Council) standard CIP-004 requires that “personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including contractors and service vendors, have an appropriate level of personnel risk assessment, training, and security awareness.”  It  requires them to “establish, maintain, and document a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as:
• Direct communications (e.g., emails, memos, computer based training, etc.);
• Indirect communications (e.g., posters, intranet, brochures, etc.);
• Management support and reinforcement (e.g., presentations, meetings, etc.).”

As well as externally-imposed compliance obligations, awareness is also a vital part of achieving compliance with internal corporate security strategies, policies, standards, procedures and guidelines.  All too often, management launches a new policy with some fanfare but soon moves on to other things, leaving the policy sadly lost and forgotten, at least until a noncompliance incident occurs.  Worse still, many organizations have gradually amassed an unmanaged collection of half-eaten policies dotted around the network, with out of date and sometimes mutually incompatible policy statements commonly coexisting on the intranet.

Linking NoticeBored’s unique security awareness and training activities with the organization’s policy generation, publication and compliance processes ensures that nobody can legitimately claim they “did not know” or that “the requirement was unclear”.

OK, it’s now time to tell you about the price of a subscription to NoticeBored.  Prepare yourself for a pleasant surprise ...

Copyright © 2012  IsecT Ltd.