AOH :: ISN-3237.HTM

Create a Winning Strategy for Your Awareness Program

Create a Winning Strategy for Your Awareness Program
Create a Winning Strategy for Your Awareness Program 

By Lew McCreary
October 2006

Since this magazine's inception, our CSO friends and sources have 
bemoaned the prevalence, throughout the enterprise, of wrong-headed 
views on what constitutes an excellent security mission and program. 
Frequently, the complaints have pointed explicitly to the upper 
organizational reaches CEOs, other O's, boards of directors. But the 
problem of wrong-headed notions about security in general is often 
acknowledged to be both deep and widespread.

Some years ago, CSO interviewed famously colorful consultant Thornton 
May (see "Why Security Needs to Blow Its Own Horn," May generalized about security 
executives: "These guys are gifted nonbranders! They couldn't sell water 
to a man on fire!"

We beg to differ. There is plenty that lies beyond a CSO's direct 
control. But we are here to tell you this: One thing CSOs do have 
control over, and accountability for, is the way the security program is 
perceived and understood within the enterprise. It all boils down to 
awareness, which is built through patient and relentless education and 
marketingyes, marketingabout the importance of security as both the 
guardian and enabler of core business value.

An aggressive, well-designed and -executed security awareness program 
can help to transform the business culture, increase overall security 
program effectiveness and present the "brand" of the security function 
in a more positive, business-focused light. It can also help the 
security executive "sell up" to senior management and achieve the 
elusive goal of tight integration between business strategy and security 

CSO and the CSO Executive Council, an affiliated professional group, 
recently conducted an online survey aimed at gauging the current state 
and prevalence of awareness programs. Though training is certainly a 
subset, our survey defined formal security awareness programs as those 
that go beyond the basic training of newly hired employees to educate 
them about the organization's policies and procedures. Our definition 
cast awareness initiatives as more in line with a full and timely 
security curriculum, delivered toand sometimes beyondthe enterprise in a 
variety of ways, and embodying many of the features of a highly 
effective marketing campaign.

The results of our survey are mainly encouraging, showing that a vast 
majority of respondents are more than ready to bottle and sell water in 
the hopes of making combustion of all kinds much less likely.

First, 74 percent of our 168 respondents said they have formal awareness 
programs in place that are at least one year old, though such programs 
range in maturity. Of these, 27 percent said they have young programs 
that are between one and two years old; that was the most popular 
answer. Of the remaining respondents, 18 percent were planning to launch 
a program. Only 8 percent did not have plans for an awareness program.

Existing awareness programs target, in varying degrees, multiple 
constituenciesfrom boards of directors to senior executives to 
rank-and-file employees and even, sometimes, outward to trading partners 
and customers. Boards of directors (50 mentions) were in nearly a dead 
heat with vendors (49 mentions) for getting the least awareness 
attention. Not surprisingly, employees (148 mentions) got the most. 
Senior management (123), business unit management (114) and CEOs (84) 
also got plenty of focus.

We also subdivided these audiences into specific functions. Not 
surprisingly, security, operations, IS/IT, HR and compliance were the 
top attention getters. Interestingly, among internal constituencies, 
engineering/manufacturing (68 mentions) and R&D (72 mentions) ranked 
near the bottom of the list. But the absolute low-vote total went to 
partnersthose outside of the enterprise. (For a look at the value of 
treating awareness issues beyond your own walls, see "Building Key 
Alliances," opposite page).

There is recognition that different purposes (and audiences) call for 
different strategies. Take audiences, for example. Cherry Delaney, who 
is just launching a cybersecurity awareness initiative at Purdue 
University (see "Getting Started," Page 34) has identified three core 
audiencesstaff, students and facultyand has chosen to take them on one 
at a time (which makes sense because, for now, she's a one-person 
department). Delaney has plans to exploit the popularity with students 
of social networking sites like Facebook.coma venue unlikely to be of 
much value in reaching staff, whom she is targeting with luncheons, live 
seminars and intranet-based interactive training.

Besides training (129 mentions), respondents use e-mail and newsletter 
alerts (119 mentions), slide presentations (103), live events and 
meetings (94), and the corporate intranet (93). A fun-loving 46 
respondents said they use quizzes, games and other reward/recognition 
ploys to test the effectiveness of awareness messaging (see "Teaching 
Tangible Lessons," this page). Twenty-three said they hold live events 
explicitly for the CEO or board of directors.

We asked respondents to rate which areas of the business benefited most 
from their awareness efforts. By a nearly 2-to-1 margin, respondents 
cited reductions in operational risk (to employees or the business) over 
other risk areas such as customers or reputation and corporate or 
business-unit growth. This seems plausible, since the area of 
operational risk is perhaps the lowest-hanging fruit for awareness 
programs, the place where CSOs can most easily demonstrate benefits.

It is reasonable to infer that our survey may have self-selected 
believers in awareness activities. Still, the results show that the 
development of awareness programs is a growth sector. Especially worth 
noting in that regard is the high number of efforts that are either just 
getting going (18 percent) or have been running for fewer than two years 
(27 percent). Apparently, most of you have now moved beyond bemoaning 
ignorance and are now spreading enlightenment. Teaching Tangible Lessons

Will Pelgrin Director, Office of Cyber Security and Critical 
Infrastructure Coordination, State of New York

Awareness promotion strategy: Hands-on tests

Will Pelgrin says he was the kind of child who had to burn his finger on 
the hot stove before he understood his mother's warnings not to touch. 
"I'm sort of tactile in my approach to learning," says Pelgrin. "Until I 
touched it, I didn't really learn the lesson."

So, to recap: When it comes to learning lessons, listening is good, but 
experiencing is better.

Believing more people are like him than not, Pelgrin values the 
importance of a good tangible lesson. This led him to concoct an 
innovative awareness exercise in the spring and summer of 2005, when 
phishing was the scourge of the moment. "One thing I was concerned with 
was, you know, we send out advisories all the time, we send out alerts, 
we send out white papers. Were they resonating with the individuals I 
sent them to?"

Phishing's mechanisms were not as broadly understood then as they 
eventually became, and awareness defenses against itthe immune response 
to social engineeringweren't fully developed. Pelgrin's team had been 
working to spread the word in the usual ways. To test the effectiveness 
of his antiphishing campaign, he got permission to simulate a phishing 
attack and aim it at 10,000 New York state employees across five state 
agencies. "I wanted to see if we could make a bigger impact by 
demonstrating [the dangers of phishing] versus just [issuing] advisories 
saying here's what will happen if you fall prey to it."

In practical terms this meant crafting a phishing-style e-mail intended 
to trick recipients into surrendering their user IDs and passwords. The 
e-mail, purporting to come from Pelgrin's own agency, said that the 
state had just purchased a "password-checker" software program that 
could evaluate whether users' passwords were good or bad, and that it 
needed their access information in order to do its work.

"I figured this would be really blatant, but also somewhat enticing as 
well. It was a fake URL; it came from, allegedly, our [information 
security office] here, but the actual e-mail address was not the correct 
one. So if people were doing due diligence, we gave them absolute hints 
throughout. We didn't want to have it so foolproof that there was no 
opportunity for someone to sit back and say, Wait a second, something 
else is going on here.'"

The e-mail linked to a bogus webpage purporting to be an official state 
document. Pelgrin's team coordinated with the Anti-Phishing Working 
Group to make sure their design embodied the earmarks of a 
state-of-the-art phishing attack. The document included a form asking 
users for their IDs and passwords. As soon as a recipient placed his 
cursor inside either of the dialog boxes on the form, it was assumed he 
had fallen for the scam and the exercise automatically ended. "We didn't 
want anyone thinking we were [actually] going to capture secure or 
sensitive data."

(There's this weird double-negative thing at work here: A fake phishing 
e-mail goes out intended to fake-fool users by sending them to a 
fake-fake website where they end up being not really entrapped.)

According to Pelgrin, 15 percent of the 10,000 recipients fell prey to 
the simulated attack. Users deemed to have failed were sent to a brief 
online tutorial he authored on how to recognize a phishing attack; they 
were also shown a video on phishing from Microsoft and then presented 
with a quiz inviting them to view 10 websites and decide which were 
genuine and which were fake. (The quiz is available from Mail Frontier 
at "I wanted this to be a very warm and 
fuzzy approach to learning," Pelgrin says.

Besides his enthusiasm for demonstrative learning, Pelgrin also extends 
his awareness work beyond New York to other states and government 
agencies, both through informal networking activities and through his 
chairing of the Multi-State ISAC (, which hosts a Cyber 
Security Awareness Toolkit and other resources. Building Key Alliances

Greg Halvacs VP and CSO, Cardinal Health

Awareness promotion strategy: Get decision-makers involved

Greg Halvacs is a relationship builder. Just about every good thing that 
happens for Halvacs' security program grows out of the strong 
connections he's made with key people in the business. For example, when 
he headed up global security at Kraft (he joined Cardinal in April), he 
says, "I built strong relationships with quality [control]. Because 
nothing got done at Kraft unless there was a quality process [involved]. 
So getting the senior vice president of global quality on board and 
sharing, like on issues around the whole area of food protection, was a 
big win."

But Halvacs doesn't stop with top functional executives; he also works 
to create deep linkages across the entire organization. At Kraft, which 
has operations in 152 countries and at hundreds of sites, Halvacs 
identified and recruited between 300 and 400 "site coordinators," whom 
he empowered to be his local emissaries. (Note: Halvacs is a member of 
the CSO Executive Council.)

"We trained them on the basic elements, the basic X's and O's of 
Security 101," he says. "Because what I've found is that you'll never 
have a large [security] organization, so you have to empower the field 
and show them what they can do to prevent things." For example, while at 
Kraft he published a simplified field guide on how to handle 
investigations without needing someone from global security to parachute 
in (though, of course, there was a soft-sell bailout: "And if you need 
help, call us").

"Driving programs through the site coordinator is key so that there's 
[local] ownership. And the mantra of the day for uswhat I pushed [at 
Kraft] and now at Cardinalis to try to build self-sufficient programs. 
Give [functional leaders and site management] the information they need 
so they can make the best decisions," he says.

While CSOs often talk about creating a "culture of security," Halvacs 
recognizes that the diversity of internal organizations suggests that 
security programs have to exist in, and be transportable to, many 
different cultures. "Everybody has a different need and a different 
spinwhether it's a sales office or whether it's a manufacturing facility 
or a corporate office," he says.

Awareness programs can reach beyond the enterprise to touch suppliers 
and other trading partners. "At Kraft we did the same thing with our 
suppliers and comanufacturers [as we did internally]. We built awareness 
in baseline [programs] and standards that they had to follow. And we 
allowed them to plug in to our training and awareness resources," he 
says. Although imposing internal standards externally can be politically 
delicate, Halvacs says that "because we were very important customers of 
theirs, they would basically bend over backward." Again, his strategy 
was to have Kraft executives in the quality group, as the substantive 
owners of the supplier relationships, drive the third parties' 
compliance with global security's standards.

Asked what he thinks the "killer benefit" of awareness benefits is, 
Halvacs alludes to a core CSO challenge: getting key decision-makers to 
respond appropriately in a potentially volatile situation. "It's knowing 
when to pick up the phone when they get in trouble, from the very first, 
and not screwing something up and shoving it under the rug. [It's 
getting] the light to come on when they're in the middle of the 
situation," before it spirals into crisis. "That, I think, is the 
biggest bang for the buck," he says.

Halvacs says good awareness programs can help drive home to senior 
management the ROI of proactive security initiatives. He cites 
background screening and drug testing. "Those are real numbers, you 
know, because the government says [drug abuse costs a business] anywhere 
from $10,000 to $12,000 per employee" annually (in health claims, sick 
time, workers' comp and on-the-job injuries). Adding drug testing to 
preemployment background screenings can save a business $1 million a 
year for every 100 high-risk applicants it doesn't hire. "You can really 
show the ROI, or cost avoidance," Halvacs says.

So, how would he advise someone just starting an awareness program? "I 
would definitely do some due diligence and work at the high levelthe VP, 
senior VP level. Ask what are the needs in their organizations, what's 
keeping them up at night. I think, more than anything, it's building 
relationships at the top," he says. "Really, the key word is 
partnership." Getting Started

Cherry Delaney Coordinator of Security Awareness and Outreach, Purdue 

Awareness promotion strategy: Divide and conquer unruly constituencies

When launching a security awareness program, you may find it hard to 
know where to begin and harder still to stick to your strategic planall 
that flagrant lack of awareness crying out for remediation! Cherry 
Delaney, Purdue University's coordinator of security awareness and 
outreach, faces the tug of competing priorities on a daily basis.

Delaney, a 10-year IT veteran who is just eight months down the road 
toward creating the school's first cybersecurity awareness program, is a 
lone ranger patrolling an uneasy range. "There's just one of me," she 
says. And Purdue, based in West Lafayette, Ind., is like other 
universities, committed to traditions of open inquiry and free-flowing 

Academic culture is thus a double-edged sword that presents special 
challenges to a security program. "That is a problem. We do really try 
to stay open," acknowledges Delaney. "And so hackers, or whoever, are 
hitting us harder than [they do] corporate sites, because we don't nail 
things down; we don't shut down as much as [businesses] do to control 

Add to that the regular turnover of significant percentages of the user 
communitystudents, staff and faculty who come and go with each new 
semesterand you have awareness issues of extra complexity.

As with any unbegun awareness program, there's no wrong time to start 
one. But, in Purdue's case, why now? "We had a breach of Social Security 
numbers last year," says Delaney, "and that really heightened [the 
interest in improving awareness]. Making national headlines is not a 
good thing."

That Purdue breach, along with other well-publicized data mishaps in 
both government and the private sector, got people tuned in much more 
urgently to the fact that Purdue "needed to have some kind of marketing 
communication and training in awareness." Moreover, Indiana, like many 
other states, recently passed legislation governing Social Security 
disclosure and breach notification, placing new liability on 
institutions of all kinds.

Delaney's launch strategy has been to address the university's three 
blocks of usersstaff, students and facultyone constituency at a time. 
She chose to start with university staff, in part because they, more 
than students or faculty, would be subject to the state's new 
data-handling requirements. Plus, after nine years spent in Purdue's IT 
function, Delaney is well-acquainted and has influence with that group. 
"It's not that I'm doing nothing for students and faculty," she says. 
It's just that she's trying to remain focused on first things first and 
not allow herself to be run in too many directions.

In getting the word out about security priorities, Delaney relies on 
departmental luncheons, webcasts, podcasts and low-cost campuswide 
publicity (pitching security-related stories to The Exponent, Purdue's 
daily student newspaper, and Inside Purdue, a publication for faculty 
and staff). In October she held a staffwide Security Awareness Month, 
featuring daylong presentations on the most urgent data security issues: 
encryption, data security on the road and working from home, information 
classification and the operational requirements of the new state 

One challenge is communicating with her various audiences in terms that 
will resonate with each. "You have different levels of expertise you 
have to talk to," she says. And not only expertise but frames of 
reference. "I mean, not as many staff people are going to be on [a social networking site popular with collegians] as 
students. So you've got different issues, depending on the demographics 
of the people you're trying to reach," she says.

Faculty members represent perhaps the toughest nut to crack. They enjoy 
plenty of authority and autonomy. For that reason they are a little like 
lawyers or physicianstwo famously tough groups to domesticate to habits 
of right behavior that may seem in conflict with their sense of mission. 
That reality makes it clear why Delaney might want to get her game face 
on by tuning up with the friendly staff.

Lew McCreary, CSO's former editor in chief, is a member of the Content 
Expert Faculty of the CSO Executive Council.


Ideas from Awareness Survey Respondents

* Live events help lessons sink in. Hold monthly brown-bag awareness 
  lunches for departments or remote facilities.

* Stay in people's faces: Publish a monthly newsletter on current 
  security threats and issues. Report security metrics, both good and 

* Find ways of expressing the cost-avoidance benefits of improved 
  security. For example, put a dollar amount on fewer incidents and 
  shorter recovery times.

* Have the CEO and other top executives attend security Q&A meetings 
  (and have them take some questions). Make sure important security 
  memos go out under the CEO's name.

* Have direct contact with employees. Manage by walking around!

* When new threats emerge, act quickly to inform the enterprise. 
  Demystify but don't scare.

* Make awareness initiatives vivid so that they are felt on a personal 
  gut level by individual employees.

* Engage in multimedia education: posters, online tutorials, live 
  events, podcasts.

* Focus on high-value awareness initiatives: loss-prevention in retail 
  businesses, counter-competitive-intelligence strategies in 
  research-rich environments, data privacy in financial institutions.


Copyright 2002-2006 CXO Media Inc. All rights reserved.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2015 CodeGods