Security awareness roadmap

I had the chance last week to think about security awareness training roadmaps. Here are some of the key areas I suggest to consider.

The goal of your program is to train people on a continuous basis without interrupting them in their work.

You can integrate basic training into the onboarding process, and provide advanced training on an ongoing basis.

Include in your basic training:

1. Understanding your acceptable use policy.
2. Creating and storing passwords.
3. Evaluating the sensitivity of information.
4. Sending secret messages using a secure channel.
5. Reporting security incidents.

You want to train people on topics that are relevant to the objectives of the organization but also to their own success at their job. Topics for advanced training should be decided at the beginning of each quarter and the content selection adapted for the needs of different groups.

At this point in time, or as a first I recommend:

• For executives and directors: Getting the most out of tabletop exercises.
• For people managers: How to communicate during a crisis.
• For developers & system administrators: How to coordinate effectively during outages.

Update job descriptions to reflect the responsibilities that people have.

This is important because you want the training to match people's level of access, and you can't verify people's level of access without accurate job descriptions.

You can ask IT to provide you with a spreadsheet that lists out everyone’s permissions to make this task easier.

Host a Q&A session about cyber security every quarter. People who participate should be eligible for prizes.

Measure progress by using standard engagement metrics. Ask your favorite marketing friend to help you with that.

Make your initiative educational but engaging.

Help people feel like they are part of something bigger than themselves, and that their participation matters.