1 hour 2 minutes
hello and welcome back to revenue protection as a C. So
in this module we will discuss why a security champion program is needed,
how to use security awareness training effectively and why security policies are important.
This is your secret weapon.
Educating key individuals in each functional area and having them champion security for you.
You cannot be everywhere, but these air your eyes and ears that you will engage with regularly. They will help you
stay up to date on what's working and was not working.
They are your posts on security within the organization.
will help you
the security team. They will act as the voice of security
for a given product or a team, and they will insist in the triage of security bugs for their team or areas. So this is literally a win win all the way around,
key individuals in HR and finance and marketing development that you can communicate with regularly that can help you understand
which of your initiatives went over well, which ones are areas for improvement and which ones you may need to relax and come bring them back into the lab and refine and try again.
As I mentioned, you can't be everywhere all the time, depending on the size of your organization.
So considered easier liaisons in each individual department that could give you that inside information. Good inside information on
how your initiatives are being received.
Um, so one of the things that I think that you should also roll into this is
a way to incentivize
your security champions to participate.
Um, and what I mean by that Maybe it's, you know, taking them to lunch once 1/4. Maybe it's a gift card Amazon who don't like the Amazon gift card,
but something that will encourage them to seek a solicit feedback from their peers and report that back to you.
And that's only gonna help you refine, tweak And, um, you know, roll your program out in such a manner that is being effective and not ah, hinderance. You're not being that blocker to security
security awareness training.
That's always ah,
when I think security awareness training, I always think about that that click exercise and power point. You get that email that say Hey, it's time for you to complete your annual security awareness training um And then, you know, you open the power point or
whatever delivery mechanism is, and you click, click, click through it. You make it to the end,
you know? And then is it you print sign
and submit it back.
So purity awareness training in 2020 does not work like that?
Uh, it should not be a point in time effort. It needs to be continuous. It should be engaging. It should educate and empower.
What I mean by that is, um and I'll use on example that that we take
is we take a game of fried approach to our security awareness training. Um, the company that we use provides
content monthly, but it pulls information from breaches that we've all seen and heard about, but it makes it plain, so it's not overly technical, and it as, ah entertaining twist to it.
But one thing that I've seen in our organization is
I've seen the results of a continuous,
entertaining and gamma fied approach to security awareness training. He probably What do you mean?
We get more inbound questions around email and fishing and suspicious emails in particular that we weren't getting before we took this approach. So we're regularly educating our employees
and not only their employees. We've made the security awareness training available to their families so they can share these episodes with their families. And now we're building a culture or ecosystem of security
that they will take home with them and their kids, their family, their parents or whomever they choose to share it with
better educated and better able to protect themselves from ransomware phishing attacks and things like that. So that point in time click exercise of security awareness training may check a box, but is really not fostering a culture
um, security wing in an organization. Nor is it an empowering your employees. You know, I'm a big believer of taking the carrot and not the stick approach.
What I mean by that is
yes, we get Mawr inbound tickets and two security asking about the validity or safety of email. But I would much rather have
that happened then have ah employees afraid it's a click email and take no action or just not care and go click happy because attacker only has to be right once.
So I will
the uptick and inbound activity through tickets any day. Because I know the training is working
Do your employees know what your security policies are? Do they know where they are? Um, regularly communicated? Are they easy to find and understand?
When was the last time you actually reviewed and updated them? This is one of the things that,
um often goes under the radar. If you're not pursuing regulatory compliance is and certifications like ISO 27,001 are socked to. Your policies are stale. Have they adapted to,
you know, change right now as I'm filming this, I've been working from home for the past seven weeks because of the cove. It 19 pandemic,
Um, were your, you know, work from home policies prepared for prolonged work from home. If you wore organization that typically didn't allow work from home. Um,
what do your business continuity plans look like? You're incident response policies.
Um, are they communicated to the board? Does your executive team know who's on the incident? Response ing? Are they on the incident response team and not know it? Have you clearly defined roles in your security documentation?
So this is the area that a lot of security. People don't necessarily enjoy documentation that no documentation is not big on my list, but it's a necessary evil, and it
once you do it once, the updates are relatively painless. But it's something that you know you definitely need to have in place. But this is one of those things that
you can also go a long way
differentiating your company from other companies. I mentioned that I'm filming this from home, and I've been working wrong because of covert 19 but we've seen a lot of customers
email us toe, ask us about our business continuity policies. What specific you know, elements of it prepared us to continue business in a pro long and uncertain work from home of scenario.
So luckily, we had just completed an audit and all of our policies were fresh. But that's just one of those things I will uses as an example that you should always keep your documentation up to
par because you never know when I auditor or regulator may come in and ask you to produce these documents