Building a World-Class Cybersecurity Awareness Program

 In today’s ever-evolving cybersecurity landscape, organizations need to have an up-to-date and effective cybersecurity awareness and training program. Such a program should instill the right set of behaviors among employees and make them a critical part of mitigating organizational risk. In turn, organizations can focus on their core capabilities.

Wavestone recently completed an engagement with a leading specialized health care provider. The client was seeking to revamp its security awareness program and challenge it with industry best standards. To close the gap between ongoing efforts and market best practices, the client engaged Wavestone to conduct a program assessment and identify areas for improvement.

Wavestone developed a 4-dimensions framework to assess the program maturity and frame its recommendations.

Within this framework, a world-class program will excel or have favorable attributes among all four key dimensions, as explained below.

“Designing and Planning” focuses on the “why” of the program along with all the necessary planning and organization. The program should start with understanding the company’s risk profile and define precise objectives of the awareness program. These precise objectives guide the strategic roadmap, content planning, and implementation -- adding a clear purpose to each step forward.

From there, the program can apply a risk-based approach to segment employees and contractors into different profiles. By doing this, the program can better understand and meet the specific needs of each segment. For example, a senior executive who travels frequently will have different security awareness needs than a recently hired front-line employee.

Depending on the needs and realities of each segment, the program will outline expected behaviors and build a corresponding content strategy. To accomplish this, the program should leverage a variety of inputs and gap analysis to determine which expected behaviors should be prioritized for the awareness program. One guiding principle is that positive messages should take precedence over negative ones – it is often more effective to train people on what actions to take, not what to avoid.

“Implementation” is all about “how” the program accomplishes its objectives. Content is typically a starting point: creating or curating content is needed for each segment based on their needs. This can be accomplished by developing a variety of formats from training modules to infographics and leveraging a mix of visual, text, and audio. Content designers may also consider a mix of tones such as serious, funny, empathetic, and helpful.

To facilitate message retention, it is important to build content plans focused on a limited set of new topics and behaviors each month or quarter. From there, the program needs to identify the right teams, channels, and cadence to deliver the content. In parallel, the program can have supporting initiatives and processes to complement core initiatives and help drive desired outcomes. For example, security ambassadors are a great way to push security content while gaining ground-level insights into what works and what can be improved.

“Reporting and Governance” cannot be overlooked as the program needs to evaluate its performance and make continuous improvements. Security awareness is a long-term effort, it’s often difficult to get it right from the start. An effective program will define success metrics at both the program level and initiative level. There needs to be metrics that measure progress along the precise objectives defined during the Design and Planning phase along with specific metrics to indicate the success of initiatives and campaigns.

This reporting structure, along with corresponding processes, will enable the program team to collect regular feedback, socialize with the right audiences, and ultimately improve the program. For example, if metrics indicates that one objective is lacking (e.g., phishing reports have remained the same despite awareness efforts on phishing), then the program can adjust its content or delivery to focus on improving that objective.

“Enablers” refer to the peripheral factors that help enable a program’s success. Everything from funding to branding to executive sponsorship can support (or detract) from a program’s effectiveness. Funding improves the program’s ability to scale, create more effective content, and deploy new or better technologies. Branding and executive sponsorship can enable the messages to reach further and have better retention. Lastly, security culture is a particularly important enabler: people who have a more positive attitude toward security topics are more likely to resonate with the program and buy into its messages.

What we have done?

Leveraging this framework, Wavestone conducted a comprehensive assessment of the client’s current awareness program and identified strengths and areas of opportunity. From there, the team developed a set of recommendations to enhance the program and deliver stronger awareness and training outcomes. Specifically, Wavestone focused on the client’s existing initiatives and capabilities, and anchored its recommendations around either short-term, “no regrets” type of initiatives or long-term, more complex endeavors. For each short-term initiative, Wavestone also clearly outlined the success factors, dependencies, and initial set of actions.

As an example, Wavestone recommended the client to focus immediate efforts to build a strategic roadmap, starting with precise objectives and followed by actions and target outcomes for each step forward. This can be accomplished through planning sessions that consolidate inputs from both primary and secondary sources and build out program objectives.

Following that, Wavestone recommended the client to create an extended list of desired behaviors related to the program objectives and organize desired behaviors into a set of prioritized topics. From there, the topics can be shaped into a content roadmap that guides content creation and helps the client achieve its program objectives.

Overall, Wavestone’s engagement provided the client with a roadmap to improve the security awareness of nearly 30,000 employees and instill the right set of behaviors among different segments.

It will help the client strengthen its organizational resilience and better navigate all the uncertainty in today’s cybersecurity landscape.