Frank Cassano

How to Make Security a Presence in Your Organization

Welcome once again to the risk rack. In this risk rack I will be discussing a way to bring some presence to your security awareness month. To the uninitiated, National Security Awareness Month occurs in October and is supported by the U.S. Department of Homeland Security. A security program is only as good as the individuals in an organization. A security program boils down to how well they apply the security policies and standards established developed within their organization. Security awareness is a vital component of how individuals apply the security policies and procedures. Security awareness month is a vital tool in one’s security program. To have a successful security awareness month a CISO must keep in mind the success factors of awareness activities which include:

  1. Have senior management support
  2. Are based on the organizations policies and standards
  3. Are targeted a specific audiences
  4. Focus on key areas of need for the organization

The level of impact possible, of course, will depend on your organizations size, geographic presence, budget and staff. The remainder of the article will provide some examples on how to provide a bigger impact presence during one’s security awareness campaign. It will be up to you to decide what will work best in your organization.

Key Note Address: To create an event where senior executives of the organization attend a key note address given by the CISO to discuss the security posture of the organization. It is also a good idea to have the CEO or other high level executives make the introduction, as to provide additional importance to the event. The address should be well structured: first, it should provide context for the discussion; then, it should provide a clear presentation of the security issues being addressed by your team. Be careful to give a full picture of the program and not just the gaps in the security program. Positive reinforcement of security achievement helps demonstrate the value of security.

Security Cubicle Display: This is one I have seen a few times and I find very effective. The security cubicle is a cubical configured like any typical cubicle in your organization but, this cubical is setup to highlight potential security gaffs an employee can make in the work area. For best effect, the cubical should be setup in a common area of the organization (lobby, cafeteria, etc.) that gets a lot of foot traffic. The cubical should be accompanied by a Quiz Sheet so that employees can guess all of the security gaffs represented in the work space. You can also make it a contest with a prize if you feel it will get more participation. The gaffs of course would depend on your organizations specific security policies and standards but some that may apply include:

  1. Password displayed on post-it attached to monitor.
  2. Password taped to the bottom of the keyboard.
  3. Confidential company information written on white board.
  4. Payroll information displayed on screen.
  5. Workstation not locked
  6. Folder with client SSN left on desk
  7. Hard copy of email from employee to another giving them their password.
  8. etc.

Security Game Show event: Create an event based on a popular game show but using security questions based on your policies and standards. You can either set up the game show as pure theater with security staff people or you can have contestants from around the organization participate.

Cold Calling: This is actually something I have used throughout the year but could be used during security awareness month as well. Cold calling is the process of randomly calling support staff within the organization to test their ability to stay within the organizations policies and standards in order to avoid becoming a victim of a social engineering attack. Upon successful completion a call the staff member will receive a reward usually a company gift certificate, candy bar, something small but meaningful.

Contests: Contests are good activities to grab attention and maintain attention for a period of time. For example you can kick off a contest at the beginning of the month then announce a winner at the end of the month. Some contest ideas include:

  1. Creating a security slogan
  2. Creating a security logo
  3. Creating a security mascot

Community Contests: A spin on the internal contest would be to do an outreach to a school where the organizations security staff would do a security lecture to the students and the students could participate in a security themed contest. The winning entry would receive a prize. Prizes could range from a pizza parties to a brand new laptop. The grade level of the school would not matter but the contest should be tailored to the grade level involved. Elementary school children could be asked to draw security posters while college level students could be asked to solution a specific security case study.

These are just a few examples of ways that you can make your security awareness month have more presence this year. I hope these ideas have helped and hopefully sparked some other ideas for your programs.

One Trackback

  1. […] How to Make Security a Presence in Your Organization – Frank Cassano has some good tips on how to increase the impact of you security awareness program. […]

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*