Designing the Path Forward: Security Awareness for the Indifferent Workforce

everybody for coming to the store that i have today we are going to talk about security awareness maturity assessments so um hopefully you guys get something from this and if not i have tons of other things to teach you so um like i said my name is rose i am a governance risk and compliance manager at a company called cso we do red blue and grc services i own the governance and compliance service line meaning everything that falls through that really large grc umbrella is my responsibility i oversee the the delivery of it i have a master's in cyber security a advanced networking and i just [Music] um 15 years in it and then the last nine in

security so i have been spending quite a long time in it a lot of different things and so over the years i've really enjoyed teaching others the things that i've picked up along the way additionally shameless plug guys i do a lot of public speaking so if you are interested in governance risk and compliance i have tons of talks available you can get to them through my linkedin page done podcasts and a whole bunch of things relating to isms and third parties management and then if you are not familiar with setting up an entire security awareness program i have a talk on that too so today we're just focusing on maturity assessments whereas there's another talk available

if you need some help setting up your whole program all right so security awareness programs let's level set there first um do any of you in here have your own security awareness program that you run or contribute to a few hands okay great so when we talk about security awareness that program is fundamental to what we're doing at an organization um there's a lot of purposes behind it maybe we're trying to give better training to people we're focusing on certain topics computer network physical whatever it may be but ultimately we are trying to change the behavior and the culture and facilitating these really great conversations with our workforce because ultimately we want to have a reduction

in the risk related to human behavior so [Music] security awareness typically has the wrap of you know this is a compliance activity really we're trying to reduce the risk associated with our humans within our workforce so we do this through security awareness now your program is normally split into two different areas you have your program you know it's the compliance and regulatory aspects of it you have your c-level support you um maybe have your governance whatever your governance may with other departments and then you have so that is what is setting up your program the other side of your program is training so you have training and activities that you give to your workforce and you also have social

engineering so from there you have several training types so you have web-based you may do in-person correspondence or you may do behavioral or role or group-based training so program and then your training and that's coming together to develop your program or level set your program so security awareness level setting there now we're going to talk about maturity assessments because that is the main purpose of this talk so maturity assessments not here to say hey go out and get a third party to do it not saying you need to do all this jump through hoops to get maturity assessment done for your program what i want to do is enable you guys to take this information and go conduct

your maturity assessment against your own program and understand how your program is truly operated so maturity assessments they look at your current state they evaluate how you're sitting what you're doing what you're not doing and figuring out where you want to go do you want to have a level 3 maturity a level 4 maturity do you have no maturity and you don't actually realize it because maybe your program is very immature all of this is going to play a key role into your maturity assessment so when i do maturity fairness i am normally looking for four components i'm looking looking at how you execute the program i'm looking at your staffing and your metrics so those four things i am

normally looking at as they relate back to your program and your training so we have a breakdown here breakdown is governance what exactly am i talking about because that could be kind of vague so do you have a policy do you have a standard do you have some sort of strategic plan all of these are going to support your program and your governance is going to need to be established to be able to run your program effectively i will tell you now if you do not have governance when a maturity assessment is being done you likely will be a stage one type maturity because you don't have anything to govern your program that experiences therefore it's going to

drive all the things that you need to do next you have execution who's executing on your program is your workforce actually picking up the information what kind of training is available all of these things play a key role into how this program is actually executing and how it's being administered within the environment oh my apologies did not mean to click next next staff so how many of you that actually run your own program are doing it in a dedicated fashion or part-time so raise of hands dedicated to your program right now one person so most programs operated in a percentage capacity 20 whatever it may be okay well you're going to have likely a mature program because it's not getting

the support and the resources that it needs so when a maturity assessment is done you're looking at do you have the qualified staff do you have the people you need to run it are those people educated on how to administer administer your program do they have soft skills another key aspect here with security awareness it's not all you know you're sending the training out policies and lms and doing these sort of things you need certain soft skills to administer the program and communicate with the workforce so that's another comes through staff then finally metrics are you understanding how your program operates are you taking going back into continual improvement are the only metrics that you're

gathering is whether or not everybody completed their training because if so that's not good metrics of how your program is operating there's a lot that filters into there okay i see a head shaking back there yeah that's the only metrics you do yeah so a lot of times people have the metrics of everybody did their training the auditors come in that show that everybody did their training and that sort of counts for their metrics well that's not really going to show how your program's operating right you need to understand look at your ir processes how many business email compromises are you having how many phishing attempts of those people with phishing and business email compromises are they getting the

right training are you reporting on it are you doing all these other things so the metrics really play a key part here in making sure that you cycle back into your continual improvement so if you do have a lot of business email compromise are you adjusting your training and making sure those repeat offenders or your problem kids are taking the training that they need to so a lot to consider there to add another tricky aspect into your program or the things that you need to consider for your maturity assessment is compliance and regulatory so we've talked about at a very vague level you have security awareness programs that have your program in your training you may get influenced by

compliance and regulatory factors those are a lot of things to take into consideration for your program you need to have the metrics you need to have staffing you need to do x y and z of the things and the compliance and regulatory factors make it even more complicated for iso 27001 you have to have the training you have to show that they have the training you may have to demonstrate that they signed off on the information security policy that may be incorporated into the security awareness nist 853 there's a whole domain awareness and training for your security awareness program so lots of things to consider there when you're building your program and making sure that you're evaluating the maturity

of your program against what's applicable to your environment out of the people running their programs do you guys have any regulatory factors right now that are driving your programs what about you what do you have driving your program

okay yeah anybody else oh that's everybody's favorite any other regulatory drivers in here i work with a lot of environments oh in the back oh i have a security role in privacy rules yeah so um i work with a lot of clients that have a lot of different regulatory factors like there and you start stacking them up they get more and more and more complex so um definitely take that into consideration for your maturity assessment all right a really useful tool if you have not seen this i am not going to tell you guys to reinvent the wheel because if you have not already researched it there's 50 million maturity models out there and in

particular sans has one for your security awareness program they already did all the hard work for you just got to go to their website get this chart get it

so we do have the security awareness maturity model here i did steal it from sans but i did give them credit so you guys can go to that link now the maturity model is in five levels you have non-existent you're not doing anything your users don't even have any idea what is security awareness don't open the emails they don't know anything then you have compliance focus and this is where a lot of organizations that i work with normally sit they have people that sign off on the policy they maybe take training once a year they admit that meet the minimum requirements that's expected of them for their compliance focus program so they aren't doing anything more than that

maybe they want to but maybe they don't have the buy-in for it then you have promoting awareness and behavioral change so now you're you're going on that uphill trend you have your security team they're actively looking at people they're identifying human risk and associating that back into their program you have the users that are starting to acknowledge the security awareness habits that you want them to have they're maybe getting a hold of security and doing the things that you're hoping they would take from the training you have long term and cultural change so big one here the cultural change that's what you really want to see so going back to the purpose of security awareness you want to see that reduction

in risk related to your humans well when you start hitting that fourth layer you're going to see that cultural change and really start to see that reduction in the human risk additionally that human risk should be accounted for when you're doing your other risk management type functions to further reduce it and then metrics so going back to continual improvement you have the continual improvement for your program you're able to demonstrate that through your metrics and these aren't metrics like oh everybody did the training everybody did this these are very complex metrics to put you in that state of continuous improvement all that information is within the infographic in that link you could just google it it comes up very quick so

they've already done the work for you you can leverage this resource to do your own maturity assessment all right so far we've talked about the different components that i've looked at we've talked about a maturity model so i'm going to tell you how i normally execute a maturity assessment you could take it or leave it or modify it however you like but this is what i normally do so for execution i figure out who do i want to talk to so you have stakeholders for your program your stakeholders may be compliance maybe hr your security team anybody that is invested in that program maybe you want to talk to management and see what their perspective is how the

security program is operating another stakeholder you may want to talk to are the users are the users getting any benefit from the training because a lot of times what i see is a disconnect between the people administering the program and the people taking the program so whenever you have security awareness you're supposed to market security awareness to your users you want them to buy invest in the skills that were so why not talk to them and make sure to see what their perspective is you know they're just getting all this email and it's not really beneficial for them well now you know that that's not really working for your org um you provided documents so

not everybody's gonna love to do this i personally love to do this this is why i work in government sourcing compliance but you need to look at the policy you need to look at standards you need to look at the plan if those things are available if they are not available then obviously you can't look at but you already know they'll have probably a level one maturity or you'll have a level one maturity review the provided training again you want the users to invest in these skills you have to look at the training you can't just rely like oh yeah you have the training that's not going to be good you've got to look at the training and

see if it's actually beneficial then you want to prep your interview questions so don't go to your interviews or whoever you're talk to and have an ad hoc conversation you want to get the most out of their time and your time so prep some interview questions in advance again sans already did a lot of that heavy lift for you a lot of those questions you could easily get from that graphic that i pointed you to you'll want to determine how you record your responses i know this seems like a wacky one to put in here after many many years doing all sorts of assessments i have learned figure out how you like to write whether

it's onenote a spreadsheet a word document whatever it is just know that in advance and then finally understand the compliance and regulatory factors because ultimately that is what the program's trying to achieve they're trying to first hit those compliance drivers because that's likely going to have a business impact if you work in healthcare they're going to be concerned about hipaa if you're going after all these other certifications like iso or whatever those are going to have business imperative so make sure you understand the compliance and regulatory drivers now we have governance so this is where i start to break it down a little bit more for you guys you'll see that we have stage one all

the way through five on here starting at the top you have no awareness program across the board every area that we're gonna look at no awareness program no observable actions when we hit that stage one compliance focused um employees are a little unsure of the policies if a policy does exist it's only there to satisfy the compliance requirements so say you wrote up a policy you got it signed off and really it's just hey we'll do the training annually and you're you're satisfying what the audit or whatever is going to expect of you then we hit stage three this is where you see the actual improvements start to happen you have a plan you know what

your program is trying to do and you have leadership support so big item there leadership support your program is only going to be as successful as your leaders are bought into it so that top-down approach is key here and then long-term your program is actively reviewed and updated on annual basis so it's not good enough to just have the plan you want to make sure the plan is actively reviewed you're continuously improving it and then making sure that that's available to whoever it needs to be available to next we have execution again no observable things happening for stage one here but stage two you have limited support you your leadership may perceive security as a technical issue

how many of you guys have been in an environment where you don't necessarily have security awareness in place but your leadership's all for throwing new technologies or tools onto your infrastructure to fix the issue maybe it's better email protections maybe it's a sim maybe it's whatever and they're thinking that fixes the issues when really you're still going to have the human risk regardless of the technology that you put in place so if you guys are experiencing that that's indicating you're at a stage two maturity your leadership's not bought into the human risk factor yet they're giving you money for the tools in your so stage three

winning the program they know their top human risk security awareness is considered a part of the overall security effort so big item here i was recently a part of a meeting the team recognized that we were getting a lot of smishing so we have the special meeting we talk about all the security issues and we identified oh man we have a lot of users getting smishing wouldn't you know the next day we send out a newsletter say hey users here's smishing here's the things that you need to know about and so now we're identifying these human risks risk related to technology that we maybe have in place we're seeing it on our logs and our

trends and all these other things but now we're taking action we're saying before this gets out of hand we're giving you training and we're talking to you especially the ones that are getting the most frequent fishing attempts then you have long term so the leaderships believes in invested in the long-term support again leadership buy-in is key here recently had a meeting called a management review if any of you have a isms in place from iso 27001 management review is key here so management review you sit down you look at everything that's happening in your program that's where you get your management buy-in we had a very great conversation around what's going on within our program in particular what's going on

with our human rights and they really were invested in the conversation what can we do to fix the human risk what can we do to resolve this situation they're demonstrating they're very bought in through the actions that they're doing staffing all right so i think we said we only have one person that's in here and the rest of you are kind of part-time the newsletter out or a couple hours annually stage two you have a part-time person here so i get to it when i get to it type attitude or maybe you have other responsibilities stage three you have a program lead dedicated to the program i haven't seen many people other than one in here that

have a program lead assigned to it a lot of organizations struggle with this because as we all know you wear a lot of hats you have a lot of things that you have to do and just getting that buy-in has always been really challenging then for stage four you have multiple ftes i've never seen that personally and if you have i'd be curious as your thoughts there but stage four you have multiple full-time employees assisting with this then finally metrics so for metrics stage one again you're not doing anything stage two number of users signing your acceptable use policy or other governance or maybe number of users completing the annual training promoting awareness stage three you're

measuring that human risk and you're measuring fishing exercises so maybe you've implemented a tool and you're able to see who's your biggest defenders and you're having them doing repeat training and that's going up to the to your risk management committee or whoever long term you have a program lead actively updating leadership monthly so remember leadership's really bought into the program and now you're giving them those metrics to support what you're doing then we have stage five so metrics are collected and they're often automated so now you're not having to do anything for them there's kind of generating on themselves and then the metrics are integrated into your security frameworks so everything that you're doing within your security program you have

these metrics integrated and you're understanding how they're impacting your security awareness your human risk whatever you're trying to measure so now we did all that work you sat down you had your interviews you recorded your answers you understand where your maturity is what do you do all with all that information well this is what you do you develop a roadmap to your desired maturity level so let's say that you are a stage two you only do the compliance things well maybe you're going to develop your roadmap to stage three and fun fact that sans infographic that i showed you guys has steps to get to the next again you can go to that document and

it'll give you a little bit of insight determine your budget if you need one so if you need a tool to help with your lms maybe you have been manually doing your security awareness training and that's no longer sufficient and it pans out in the results so you determine your budget maybe you just say we need some sort of tool and you do a little bit of research here next you determine your capacity requirements for resources so this is a little bit assumed in the budget but i'm going to dive in a little bit deeper here if you are going to need support with outside departments maybe hr maybe compliance maybe whoever as part of the

project planning you really should identify how many hours do you need from them do you need like one hour a week two hours a week a couple hours a year what is that number that you need assistance with them because what you don't want to happen which is going to cause bad relationships is that you build this whole project plan and you assume that they're going to help you and you force them to do work that they weren't prepared for so help get prepared show that you're a good business partner and just make sure that you understand how much time they can devote to this program and then most importantly management buy-in huge one here i will

harp on it 50 million times management buy-in for anything that you do in security is key so i know it's challenging to say but if you take the management buy-in perspective compare it against your human risk if we mature from a level two to a level three what does this do to our human risk does it reduce it by ten percent and are we returning having a return on investment of saving a hundred thousand dollars are we doing this and it's having an impact so it's not good enough that you get the plan together that you say oh we should do this you need to demonstrate to management the return on investment here in terms of they understand

so we got through the maturity assessment there's tons of things there lots and lots and lots of steps but let's walk through one and this is super super quick exercise because i think i only have five minutes all right do any of you guys watch the office great that's my favorite shows i'm glad you guys watched that one all right so dundler dunder mifflin mifflin with michael scott they have governance but a policy only addresses their iso 27001 requirements they have execution trainings once a year that's all they do leadership is minimally bought in so michael's like yeah you just do the thing i don't know what you're talking about but yeah go ahead and do it

users sign an information security policy an acceptable use policy so you have them doing that you have no dedicated staff and you're only contain the results of the annual training and maybe the policy sign-offs so what do you guys think i rated them as based on those those quick bullets

you guys are right nailed it you got compliance so it's not as hard as it seems there's a lot of like steps and things like that in there i promise you resources are online it's just a matter of kind of pulling it together and having the time to do it if you are trying to figure out how much time you need to dedicate to this if you're very familiar with your program and how it operates you could probably dedicate five hours of time to this it's a quick exercise but you have to make sure that you have people bought in to interview interview with you and have the dialogues and that is it um i have um

twitter linkedin and you guys can contact me through email if you need any sort of support or assistance or understanding you know how to really get started more than what's contained in here so with that any questions oh i do have something to give away so whoever does have a question what is this a lock pick kit in the back

presentation software it's prezi prezi

so it's it's mixed it depends what you're trying to accomplish so if we're talking for security awareness you can make a case like all right so you're managing 30 risk on your register relating to some sort of human activities happening tie that in there and how much time resources to be able to work on those risks so so you have those 30 and for each of those risks they're having to spend five hours of execution doing whatever those things are and then you're at 100 hours 30 risk um and bring that to management so they're understanding but additionally if you are using a compliance framework leverage that as well so i'll go back to the iso

27001 example a big component there is non-deformities against your isms so if you do a production process and you don't root cause analysis you're not going to meet the intentions of that so if you have an audit coming up and you have multiple non-conformities for something related back to security awareness honors running your isms in the way you should because you're not following your corrective action process that's another way that you can do it the management's not going to want you to lose that certification if you're not able to stick to your processes but you gotta tee up the language just right for them not sure if that fully answers your question but all right um i do think i'm at time

oh yes uh

um

so is your question having people taking training around email security

yeah it's a half and half so you should be enabling your infrastructure to have those technology components that you know is preventing it in the first place but you also want to be able to have them doing the things that they need to do to keep the environment secure because ultimately what it boils down to is you're trying to keep the information secure within that environment by reducing that human risk um my thoughts was security awareness and we don't really dig into it as part of this presentation i don't like traditional security awareness trainings i think they are horrible they're not the right thing for our users the right thing for the users identify what kind of training works for

them do your users do better within person do they do better with videos do they do better with whatever and figure that out because that sort of training is what's going to help reduce that human rights you understand what kind of training they need and you're making sure that they're getting it obviously like it's more complex with the larger organizations that you have but if you have a smaller environment and you're able to support that i love having one-on-one conversations with our employees that maybe don't understand security and now they're getting to know me rose and security and being able to tie security back to the things that they need to do and you foster really

great relationships that way but i absolutely don't think we should be torturing people with the security awareness training that is available we should be making sure that our technology supports them doing their jobs any other questions

it will be