Main Nav

Where To Start When Building an Awareness Program

When it comes to security awareness, a common challenge I find is organizations have focused so much on getting management support, budget and materials that when they are ready to start they have not yet thought of how to begin. One of the best places to start is building your team, a steering committee if you like. The purpose of this team is to help guide your program in the years to come. Not only can members provide input, but they can also become owners and champions for your program. Keep the team simple, you are not required to regular meetings or even be physically together, perhaps something as simple as quarterly Skype conferences. Also, keep the team small, I suggest no more then 5-7 people. Anything larger and consensus building becomes almost impossible. Some key departments I recommend are

  • Audit: to ensure you meet compliance requirements, especially in tracking your program.
  • Human Resources: as they often control who is trained and when. In addition they are often responsible for many of the Acceptable Use policies. Finally, if your awareness program addresses any enforcement issues, HR is often where enforcement begins.
  • Legal: for obvious reasons.
  • Help Desk: These folks are often forgotten but can be very helpful for your program. They have the pulse of how the organization is operating. In addition, the Help Desk may be the first place people go to with any security related issues, questions or incident reports.
  • Marketing: As security professionals we know security. We have a good understanding of what the greatest risks are to our organization and how to mitigate them. Where our profession sucks at (to put it bluntly) is communicating these issues. Your awareness program can have the greatest content in the world, but if you cannot engage your employees they simply will not listen. Get marketing on your team and listen to them, this is what they do for a living.
  • Training: Obviously if you have a training or communications department, be sure to coordinate with them. For organizations over 10,000 people I often find you have specific branding requirements which dictate the what and how your materials are communicated.
  • NOC: I find the network operations center often to be key.  These are the folks that can get you all the email addresses of your employees.  They help create the maillists you communicate with. They are also the choke point that controls who can get access to your organization's network or who can get a company email address.  You can use your NOC to enforce training for all new hires or contractors.  No one gets company access or email account until they complete initial awareness training.

Once you have your Steering Committee in place, you can then begin planning your awareness program. I find the Steering Committee is key to any long term effort. This is the foundation to your programs future success.

Lance Spitzner is technical director of SANS Securing The Human program. You can learn more at or follow him on Twitter at @lspitzner.

Tags from the EDUCAUSE Library

Tags from the Community