SECURING OUR EMPLOYEES

Firewalls

IDS SSL

Authentication

Logging

Antivirus

Examples• Use recent examples from media of such

attacks (RSA, Epsilon, Oak Ridge National Labs, HBGary).

• Articles in business magazines (WSJ, Forbes)• Record incidents (www.privacyrights.org).• Recent human incidents in your organization.• Conduct a security awareness survey or

assessment.• Compare money invested in securing a

company computer versus company employee.

Value to Organization1. Reduce risk (get examples of risk metrics

from www.securingthehuman.org/resources/planning).

2. Remain compliant (list any specific standards your organization must be compliant with).

3. Reduce costs (freeing up security resources to focus on more advanced threats)

4. Promotes secure brand that is serious about protecting our customers.

5. Train employees on our policies, processes and standards.

Non-Existent

Compliance Focused

Promoting Awareness & Change

Long Term Sustainment

Metrics

Security Awareness Maturity Model

Key Points on Awareness• Most awareness programs have had

little impact because they were never designed to.

• Awareness is another control.• Long term program – lifecycle.• Not just prevention – detection and

response.• Not just about clicking on links.

What We Need• Senior management support,

including being part of communications.

• Business unit / department support to help coordinate organization wide deployment.

• Access to resources ( such as marketing, communications, human resources, etc.)

• Budget• Sign-off on program or planning of

program.

Summary• Humans are another operating system

but to date very little has been done to secure them.

• We can dramatically reduce risk to our organization and remain compliant by implementing an active, longer term awareness program.