Episode 202: -Evaluating Your Security Program : Awareness & Education

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
  2. Start At The Outside and Move Your Way In
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  3. Measuring Awareness & Education
    1. What do you think you do?
      1. Mandatory CBLs
      2. CyberCyberCyberStuff (Posters, Email, Swag)
      3. Briefings and Classes
      4. Phishing Awareness
      5. $NOVEL_IDEA
    2. How do you measure it?
      1. How many people is it designed to engage?
      2. How many people were actually engaged?
        1. Not how many people took the awareness, how many people were ENGAGED?
      3. How did they do? (CBL completions, % phished, reviews, etc)
      4. Are you being honest with yourself?
        1. If CBL_Completion = 15(clicks) then you may want to rethink that
        2. 0% phished is not a sign of a great security program...more likely a sign of a bad phishing program
        3. If there is no way to allow for anonymous reviews of training/briefings/etc then you’re not likely to get fully honest reviews (Who wants to piss off security?)
  4. Adjusting The Program
    1. Don’t change the measurement...change the program
      1. The key to long term success is consistently measuring the same thing over time
      2. You may want to update goals (up or down) but be able to explain why especially if you are making the test easier
    2. Don’t make drastic changes until Year 3 unless you have to make drastic changes
      1. Big changes in delivery will skew the numbers in ways you likely will not like
      2. Constant large turmoil is counter to most corporate cultures
      3. Small changes take advantage of previous investments best
      4. “Iterate small and grow larger” - doing too much too fast almost always ends is highly suboptimal results over time
    3. Clearly failing components should be axed and replaced and not tweaked around the edges - especially if there’s a compliance or safety aspect
  5. If this feels like “Wash, Rinse, Repeat” it’s because is it “Wash, Rinse, Repeat”