CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
CIOReview | | 9 DECEMBER - JANUARYrelationships with these key team members will prove essential.Once you have the support that your program needs, the next question you'll probably be asking yourself is "well... what now?". The first thing you're going to want to do is establish what employee behaviors pose the greatest risks to your organization, what behaviors are needed to manage those risks, and prioritize what needs to be tackled first. Employees need to be engaged in a manner that not only makes them aware of what needs to be done, but also makes those behaviors easy to adopt. Defining what these risks are may seem a tricky proposition at first, but this is another point at which those relationships with your internal teams such as security operations will prove invaluable. They will likely have some statistics on what risky behaviors they are dealing with on a daily basis, whether it be from phishing, data loss prevention, privilege abuse, etc., and this can give you a good starting point for what behaviors you need to direct your attention to. The human cyber risk spectrum is broad, and we could go on ad nauseam about the threats posed by social media usage, email, public networks, weak passwords, social engineering, data disposal, yada yada yada. The point here is that there is no real bound to what your awareness program can address, but don't get too bogged down with minutia, and focus on those topics which will have the greatest impact on your risk.Engagement comes in many forms, and what you're able to do will in large part come down to your corporate culture, your budget, and your support. Remember that we live in a world where information needs to be digestible, and it is important not to overburden people with information that they don't really need. Annual training may be necessary, but it will never have the impact that a continuous program will have. People need behavioral priming, self-efficacy, social proof, and whatever other social psychology buzzwords you want to throw in there, in order to start changing behavior and ultimately produce a more secure culture. I'm running out of room here, so I'll leave you with this; no aspect of your human cyber risk will ever be zero. Awareness is about managing those risks. Engage your workforce in a positive manner, make it relevant to them, and make your desired behaviors easy to exhibit. There are lots of resources available out there for those looking to delve into the awareness realm, as well as vendors who can help to make the delivery of content more efficient and impactful. Security is often viewed as a negative, having impact on hard working employees' ability to do their job. Awareness is about changing that perspective, so remember to be creative, and have fun! Awareness is not a part-time gig; it is a full-blown security control and requires full time attention to keep it running
< Page 8 | Page 10 >