secure mentem copyright secure mentem 1 the habits of highly successful security awareness programs...
TRANSCRIPT
![Page 1: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/1.jpg)
SECUREMENTEM
Copyright Secure Mentem
1
The Habits of Highly Successful Security Awareness Programs
Ira Winkler, CISSP
President ISSA International
![Page 2: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/2.jpg)
SECUREMENTEM
What is Secure Mentem?
• Strategic security services modified to focus on Security Awareness
• Based on research
• Bringing breadth and depth of security awareness methods
• Tailored to corporate cultures
Copyright Secure Mentem
2
![Page 3: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/3.jpg)
SECUREMENTEM
Why Security Awareness?
3
Copyright Secure Mentem
![Page 4: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/4.jpg)
SECUREMENTEM
Captain Kirk
Who wouldn‘t guess a password of “Captain” on an account with the user ID, “Kirk”?
This happened at NSA
4 Copyright Secure Mentem
![Page 5: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/5.jpg)
SECUREMENTEM
Whose Fault Is it?
• She sounds like an idiot• She is an Ivy League graduate• Why was she not previously told that
she shouldn‘t have that as a password?
• Why was the password allowed in the first place?
5 Copyright Secure Mentem
![Page 6: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/6.jpg)
SECUREMENTEM
This Is Not Unique
• Security professionals make assumptions in the base level of knowledge in end users
• Also extends to knowledge assumptions about other technical professionals
• As per Felix Unger, when you assume you make an ass/u/me
6 Copyright Secure Mentem
![Page 7: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/7.jpg)
SECUREMENTEM
Common Sense
• The problem is that security professionals assume that the users should exercise common sense
• There is no such thing as common sense without a base common knowledge
• Security programs fail, because they assume there is the common knowledge
7 Copyright Secure Mentem
![Page 8: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/8.jpg)
SECUREMENTEM
It’s Not Stupid Users• It’s incompetent security professionals• While there are some stupid activities on
the part of the users, I always ask what could the security staff have done better?
• Does your staff stop and ask how could the incident have been prevented
• Is there a discussion of both modifying user activity and preventing user activity
8 Copyright Secure Mentem
![Page 9: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/9.jpg)
SECUREMENTEM
Security Awareness is Implementing Security Culture
• Not exactly, but close enough• Security awareness is to get people
to implement secure practices into their daily activities
• Must instill common knowledge of concerns and base actions
• Training is different from Awareness
9 Copyright Secure Mentem
![Page 10: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/10.jpg)
SECUREMENTEM
Why Security Awareness?
• The human factor• Technology can only help so much
• Cost-effective solution• Required by standards and
regulations
10 Copyright Secure Mentem
![Page 11: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/11.jpg)
SECUREMENTEM
The Study: Opportunity Statement and Methodology
11
Copyright Secure Mentem
![Page 12: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/12.jpg)
SECUREMENTEM
The Problem with Security Awareness Programs
• Varying degrees of quality in awareness programs
• The 3-year cycle • Poor security cultures
12 Copyright Secure Mentem
![Page 13: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/13.jpg)
SECUREMENTEM
Approach/Methodology
• Qualitative– Face-to-face interviews with Security
Awareness Specialists • Quantitative
• 2 Surveys– 1 for Security employees– 1 for Non-Security employees
• Limitations
13 Copyright Secure Mentem
![Page 14: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/14.jpg)
SECUREMENTEM
Study: Analysis
14
Copyright Secure Mentem
![Page 15: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/15.jpg)
SECUREMENTEM
Analysis: General Trends• Participating companies from the following
sectors:– Health Sector– Manufacturing Sector– Food Sector– Financial Sector– Retail Sector
• Companies were often surprisingly honest about the success of their programs
• No participating company had any metrics to assess their effectiveness
15 Copyright Secure Mentem
![Page 16: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/16.jpg)
SECUREMENTEM
Analysis: General Trends
• Most companies struggle to gain support:– From upper management– From key departments– From their user population
• Compliance:– PCI helps with support and budget– HIPAA does not
16 Copyright Secure Mentem
![Page 17: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/17.jpg)
SECUREMENTEM
Analysis: General Trends
• Variety of approaches– Some Security Awareness Specialists had
a security background while others had a marketing or communications background
– Companies had 1-26 employees contributing to efforts
17 Copyright Secure Mentem
![Page 18: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/18.jpg)
SECUREMENTEM
Analysis: Security Respondents
• 87% of Security Respondents reported their programs are successful
• Roughly half reported having difficulty encouraging their employees to take security seriously
• Only 19% reported a lack of support from management
18 Copyright Secure Mentem
![Page 19: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/19.jpg)
SECUREMENTEM
Analysis: Security Respondents
• 26% reported a lack of enthusiasm for their efforts
• 50% reported having difficulty receiving funding for their initiatives
19 Copyright Secure Mentem
![Page 20: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/20.jpg)
SECUREMENTEM
Analysis: Non-Security Respondents
• 100% of Non-Security employees reported having learned something from their company’s Security Awareness program
• 100% reported being “security-minded individuals”
• 100% reported thinking their company’s Security Awareness programs are successful
20 Copyright Secure Mentem
![Page 21: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/21.jpg)
SECUREMENTEM
Analysis: Non-Security Respondents
• Only 60% reported changing their behavior as a result of Security Awareness
• 92% reported viewing their Security team positively
• 12% reported having conflicts with their Security team
21 Copyright Secure Mentem
![Page 22: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/22.jpg)
SECUREMENTEM
Results
• Security is difficult to administer at most companies
• PCI compliance helps with enforcement and awareness
• Creativity and/or participatory training are the key(s) to success
• Companies with more top-level support are more successful
22 Copyright Secure Mentem
![Page 23: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/23.jpg)
SECUREMENTEM
The Habits
23
Copyright Secure Mentem
![Page 24: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/24.jpg)
SECUREMENTEM
Habit 1-Create a Strong Foundation
• This is the main source of failure• Make a 3-month plan• Topics may change • Assess Approach
– Softball– Hard push– Avoid fear-mongering
24 Copyright Secure Mentem
![Page 25: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/25.jpg)
SECUREMENTEM
Choosing Components
• Which mediums of communication will be most effective at your company?
• Which mediums are already saturated?
• What are employees most receptive to?
25 Copyright Secure Mentem
![Page 26: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/26.jpg)
SECUREMENTEM
Recommended Components• Website• Posters• Newsletters/Blog• Monthly tips• Lunch and Learns• Roadshows• Speakers• Security Week
26 Copyright Secure Mentem
![Page 27: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/27.jpg)
SECUREMENTEM
Keep the Program Fresh
• Easy to fall behind• Pay attention to the news• Create new material for every month
27 Copyright Secure Mentem
![Page 28: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/28.jpg)
SECUREMENTEM
Habit 2-Organizational Buy-In• Appeal to the highest level you are
able to engage• Market some materials to the C-level • Stress benefits of Security
Awareness
28 Copyright Secure Mentem
![Page 29: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/29.jpg)
SECUREMENTEM
Habit 3-Participative Learning• Learning modules• Interactive components
– Make user feel involved• Additional tools--Phishing
29 Copyright Secure Mentem
![Page 30: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/30.jpg)
SECUREMENTEM
Habit 4-More Creative Endeavors
• Guerilla marketing campaign• Security Cube• Policy distribution• Demonstrations and movie showings
30 Copyright Secure Mentem
![Page 31: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/31.jpg)
SECUREMENTEM
Habit 5-Gather Metrics
• No participating company gathered metrics
• Compare rate of reported incidents pre and post– Collecting metrics ahead of time so you
can potentially measure success after the fact
31 Copyright Secure Mentem
![Page 32: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/32.jpg)
SECUREMENTEM
Assessing Success
• Assess which components have been successful
• Administer a survey– Try to keep it anonymous – Offer a drawing that employees can enter
for a prize• Understand limitations
32 Copyright Secure Mentem
![Page 33: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/33.jpg)
SECUREMENTEM
Habit 6-Partner with Key Departments
• Reinforces company message vs. security message
• Consider departments such as: – Legal– Compliance– Human Resources– Marketing– Privacy– Physical Security
33 Copyright Secure Mentem
![Page 34: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/34.jpg)
SECUREMENTEM
Habit 7-Be the Department of How
• Department of “How” vs. Department of “No”
• Teach instead of dictate• Establish positive security culture
34 Copyright Secure Mentem
![Page 35: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/35.jpg)
SECUREMENTEM
Conclusions
35
Copyright Secure Mentem
![Page 36: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/36.jpg)
SECUREMENTEM
Key Takeaways• Focus on building support before
spending too much time on other aspects • Do a thorough assessment of culture
before starting or revamping program• Consider partnership with other key
departments• Focus security awareness on common
knowledge so users can exercise common sense
36 Copyright Secure Mentem
![Page 37: SECURE MENTEM Copyright Secure Mentem 1 The Habits of Highly Successful Security Awareness Programs Ira Winkler, CISSP President ISSA International](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e545503460f94b4bb25/html5/thumbnails/37.jpg)
SECUREMENTEM
For More Information
[email protected] +1-410-544-3435
www.facebook.com/ira.winkler@irawinkler
www.linkedin.com/in/irawinkler
[email protected] +1-651-325-5902
@samanthamankehttp://www.linkedin.com/pub/samantha-manke/21/34/779
37 Copyright Secure Mentem