Published on April 7th, 2022 📆 | 5448 Views ⚑
0#ISC2Events: A DPO’s Guide to Delivering a Cybersecurity Awareness Program
At the (ISC)2 Secure London Event today, Laurie-Anne Bourdain, data protection officer at Belgium fintech company Isabel Group, delivered a session on planning and delivering a successful cybersecurity awareness program.
Bourdain advised that creating a roadmap is an essential first step in developing a good awareness program. The roadmap requires an understanding of your organizationâs threat landscape, which includes knowledge of your vulnerabilities, who your threat actors are and what threat vectors youâre up against. âThis knowledge will help you consider your priorities based on your risks. Due to budget and time constraints, you need to evaluate and prioritize your risks, but you also need to align that with your own risk appetite â consider how much risk you can afford to take,â she advised.
The next step in the roadmap, Bourdain continued, âis to identify what you want your targets to learn. Then, you need to address what resources you have. Think about your channels of communication.â As an example, printed posters are still an effective method of communication, she said.
âThe scary part of your roadmap is delivering it,â said Bourdain, âbecause you might fail.â She considers herself lucky to be given the luxury of spending a fifth of her time on awareness and training, âbut Iâd still like it to be more,â she contended.Â
Developing awareness programs is all about filling gaps, she argued. âThis includes the knowledge gap, skills gap, and the motivation gap.â She argues that the latter is the biggest challenge. âItâs difficult when people know how to do something but donât want to and they donât care. You need to explain why itâs important to them personally and support motivation with incentives or rewards â this will help them continue their behaviors.â
The final gap that Bourdain called out is the undeniable communications gap. âIT is not the primary language of most people in an organization, so be careful not to use technical or legal language,â she advised. âUse a language that is easily understood by every single member of your organization and adapt to your different learners.â Putting yourself in the shoes of the novices in your organization will enable you to pitch your language and communication correctly, she said. âTry to remember what it was like to know nothing. Donât assume knowledge.â
She emphasized the importance of positive reinforcement, noting it can take the form of recognition and awards and does not necessarily need to be financial. âOther tips include gamification, playing on peopleâs emotions and using the power of moments,â she said, giving the example of raising awareness during the Log4j crisis. âUse social engagement. The more people that are visibly doing something, the more others will feel encouraged to do the same,â she added.
Her strongest piece of advice, however, is repetition. âAwareness needs repetition, even when it feels counter-productive. Yes, you already told them that last year, but it will have been forgotten, so tell them again.â
In conclusion, Bourdain stated the importance of three ingredients for a successful cybersecurity awareness program:
- Management support: âTo create visibility, you need management support. Make them understand whatâs in it for them and gain their support.â
- Provide metrics: âProvide good metrics. Data on how many people completed the training on time is a bad metric. The number of people reporting phishing compared to last year, however, is a good metric.â
- Report back: âTell management why your awareness program is working, and tell them why you need more budget - and more time - for next year.âÂ
Gloss