Recruiting the right people to run the program

Determining the project scope

Measuring the security awareness and interests in the organization

Creating actions of execution to reach goals

Creating deadlines for different actions to determine the start and end dates

Defining metrics

Creating success factors

Encourage the initiative to create security culture: Stakeholders within the organizations should promote a security awareness culture to maintain a positive attitude toward information security. Support for security measures expected by the enterprise will help the company achieve their goals. In addition to that, business managers should look for employees who are not working with the right attitude and help create a positive and proactive environment.

Lead by example: Regardless of what leaders tell employees, if they don’t follow the defined processes, policies, and controls then it will create the wrong impression among the employees and they will become less serious about the security culture.

Fundamental understanding of the information security: Stakeholders in the organization may not be security experts, but they should be provided with additional training to get a foundational understanding and knowledge of security. Having basic knowledge of security among the employees and between the leaders can mitigate the possibility of individuals involved in security incidents.

Proactive leadership involvement: Stakeholders in the organization should create a proactive plan for an incident response plan, business continuity plan, and other key procedures. Every stakeholder might not be aware of the procedures, but being aware about such information allows leaders to contribute to the organization.

Gap Analysis: First, you need to understand the existing gap analysis, which is where the organization stands today. By performing the gap analysis, you can easily find what needs to be done and when.

Needs differ for each department: Different departments and disciplines have different needs as per their knowledge and skills. It is also advised to run the safety program to create an iterative culture building process across the departments so that it is easier to see if such a safety program has the desired effect.

Improve security competence : You can perform many activities to spread awareness across the organization to improve the overall security. Metrics should be defined for each activity to understand if the goal has been achieved or not and to improve the overall security competence.

Games: Cost and complexity of developing games today is lower than ever. We can create both computer games as well as board games related to security awareness and quiz to improve security awareness.

Ethical hacking: Hire a company that can test physical security, employee goodwill, and your public-facing systems to avoid phishing attacks.

Be flexible to the corporate culture: Creating a security culture differs not only from organization to organization but also within the departments and management levels.

Instead of creating a fixed path to drive security training across the organization, it is better to sit together with senior stakeholders and employees and create a security awareness program.

Validate training to achieve organizational goals: Phishing attacks , data breaches, and CEO fraud attacks are the major concerns by most practitioners across the world. Undertrained employees lack the ability to detect security threats and don’t have a correct understanding of a security attack. Be ready to focus not only on the best training but also to train for all possible scenarios.

Replicate phishing scenarios at random intervals: Phishing simulation techniques are really important for maintaining the workforce’s phishing defense. Simulating phishing scenarios will enable organizations to understand and predict employee behavior against the attack and track behavioral changes over time.

Frequency of the training: Security training should happen often, to keep security a top priority for everyone. Although there is no magic frequency for such training, short trainings distributed frequently are most effective and best able to create a security culture across an organization. See Figure 8-3.

Focus on employee’s behavioral changes : Security professionals view technical infrastructure as a more useful tool for avoiding security incidents rather than creating security-aware training. It is impossible to replace security training with the technical controls. Physical infrastructure is great at preventing security attacks until a phishing email comes into an employee’s inbox. It is worth considering security training as the outcome of behavioral changes rather than as a compliance requirement. This behavioral change is not the ultimate goal of the training, but it is measurable. Focus on the phishing rates, number of employees who report to an email, and events blocked by the endpoint protection to back security awareness with data. See Figure 8-4.

Keep faith in employees to tackle security challenges: Security professionals report low confidence in the company’s employees and stakeholders to handle phishing attacks. Having limited confidence in employees’ ability to handle security threats makes it important to treat security incidents as an opportunity rather than showcasing them as the inability of employees to tackle security issues.