On Wednesday the 2nd of May I, in association with Sanderson, hosted a breakfast roundtable discussion on ‘Lessons Learned in Effective Security Awareness Programmes.’ The roundtable was well attended by Security Leaders from a number of organisations, each with responsibility for addressing the human element of cyber security.
The topics of discussion were; Ethics of Phishing Tests, MI and Feedback Loops, Forming a Plan and Significantly Altering Behaviours.
Each topic sparked a lot of very valuable contribution and some great insights. There were some key takeaways:
Ethics of Phishing Tests – The ethics of performing this sort of test are often questioned at the outset by those at the top of the organisation. But done right, these concerns often dissipate over time.
In addition, being clear about what you are trying to achieve is important as different tests can meet different needs.
MI and Feedback Loops – Key to understanding how successful you’re being is determining useful metrics. Without good metrics, at the very least you are susceptible to a false sense of security.
Forming a Plan – A one size fits all approach can more usefully be described as a “one size fits none approach.” From the starting point of planning, the discussion progressed to cover the need to deal with cultural differences and whether there should be a separate security culture and awareness function within a larger security team.
Significantly Altering Behaviours – There was general agreement that focussed activity is essential and that performing annual training is akin to doing a once-a-year fitness day and expecting to be able to run a marathon.
Additionally, an essential string to the security professional’s bow is the ability to help the design of better systems by being able to contribute to the User Experience (UX) of systems with an understanding of human behaviour.
Fortunately for me, the above is a validation of some of the value we bring to our clients at Advanced Engagement and also echoes the problems we see potential clients needing to overcome in terms of Security Awareness and Culture Change.
It was clear that Security Awareness and Culture Change are relevant to all sections of a Security function, not just the part dealing with Security Awareness, and that there is an appetite for continuing the discussion.
As such, we’re planning to host more events on this subject and to focus on a diverse set of organisations including the public sector.
"It was a fantastic, thought - provoking discussion, where everyone shared their opinions openly.The event was such a success we will be looking to run another later this year in Edinburgh and hopefully look to expand to London and Manchester in the near future.”
- Mary Worthington, Delivery Manager - Cyber & Information Security
Return to view news articles
Mary Worthington, Cyber Specialist at Sanderson, has this week answered the question ‘Who will keep you out of trouble with the GDPR?’