Build a Security Culture by Kai Roer

Author:Kai Roer [Roer, Kai]
Language: eng
Format: epub, azw3, pdf
ISBN: 9781849287197
Publisher: IT Governance Publishing
Published: 2015-03-14T22:00:00+00:00

Building your team

John, the CISO of a large, multinational bank, had a team of cyber security professionals to help him tackle incidents and run their security operations. His team was highly skilled, from networking engineering to intrusion detection system tuning, from security data analytics to incident response. And they all seemed to love their work. Except when the task of security awareness landed on their table. John thought it had turned into a game within his team to avoid any work with security awareness. He understood that his team’s lack of interest in awareness could be due to a number of things:

• Awareness is not considered sexy enough (i.e. not technical).

• A team member not having enough knowledge of awareness.

• Awareness work seems to never be successful, turning anyone working with it into a failure.

• A lack of funding to buy the coolest trainings or content available.

Most of these things can be handled easily enough – as soon as they are recognised. Let’s take each point by itself:

• Not considered sexy is a common excuse we receive from technical staff. There are several ways to deal with this issue, including hiring a security culture manager, as is increasingly being done in the Nordic countries (Norway, Sweden and Denmark), who will build, implement and manage a security culture programme. Another option is to use technical tools such as the Social Engineering Toolkit, a tool most techies will relate to and like. Communicating the importance and value of security culture work will also help motivate your team to take it on.

• A team not having enough knowledge of awareness is another challenge we see. Of course, if you do not have enough knowledge of a topic, it is hard to realise just how cool it is, right? To tackle this challenge, training your team in security culture is vital. The aforementioned Security Engineering Toolkit is an excellent way to raise knowledge and build interest. Other ways to show how critical and exciting awareness work can be, is to join or design a Social Engineering Capture the Flag (CTF) event with your team. Also, create an environment where it is easy to plan and execute security culture activities.

• The argument about security awareness never being successful is easily combated with good metrics, and an understanding of human behaviours. Use Metrics module to design and build goals and metrics that matters.

• A lack of funding is a challenge in all work – not just security. To get the funding you want, you will have to fight other departments and projects that may be more business aligned and better at communicating direct and indirect value. Again, metrics matter. And when it comes to securing budgets, communicating business value is critical. Do not expect a huge fund from day one. What is more common is that you must demonstrate results and value over time. Again, Metrics module is your friend. Also, a thinking out of the box, low-cost, use-what-we-have mentality will take you a long way when funding is low.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.