What Belongs in a Security Awareness Program?Burak Kaan Bahadir
What Belongs in a Security Awareness Program? – Security is also a people problem. Security awareness is as important as technical security. As I said in my other blogs, people are the last line of security, so Security Awareness Programs are crucial. In this blog, I’m going to discuss What belongs in a Security awareness training.
1 – What’s Security Awareness Program?
Essentially, security awareness training is a way to provide an appropriate level of knowledge about cybersecurity. Nowadays, security is everybody’s responsibility.
There are three lines of defence;
- The first line is your controls, how you implement security best practices and prevent compromises.
- The second line is detection, how you realize attacks or attempted breaches.
- The third line is your people, how aware your people of security and what they do to avoid being a weak link.
If the security awareness program supports providing the three lines, I can say it’s a good one. Security awareness programs are important because they reinforce that everybody is responsible for security.
2 – What Belongs in a Security Awareness Program?
There are 4 key components in the Security Awareness Program.
1 – Communication
Security should become a part of the conservation in the organization. Management teams must regularly communicate to the employees that security is important. This communication must be clear, regular, appropriate and interactive.
2 – Checklist(s)
There needs to be a checklist. The checklist will help your company stay organized when it comes to developing, maintaining and delivering a security awareness program.
Checklists should include;
- What to do when a new hire starts and when an employee leaves.
- How often to remind employees of security protocols.
- What to do when an incident happens.
- How to communicate with customers or partners when in a breach.
3 – Content
A security awareness program must have appropriate content. The content should be striking, impactive and not boring, depends on your organization structure, may include;
- Role-based guide
- Training programs
- A handbook (PDF File)
- Amusing games
4 – Controls
Security Awareness Programs should include control mechanisms such as Threat Intelligence, Incident Reporter, Phishing Simulator etc.
Controls mechanisms are the guards to prevent the car from flying off the road, ensuring that people and systems are only able to do what their roles dictate and only with the appropriate approvals.
Cyber Security Researcher