Time
1 hour 2 minutes
Difficulty
Advanced
CEU/CPE
1

Video Transcription

00:01
hello and welcome back to revenue protection as a C. So
00:06
in this module we will discuss why a security champion program is needed,
00:12
how to use security awareness training effectively and why security policies are important.
00:22
Security champions.
00:24
This is your secret weapon.
00:26
Educating key individuals in each functional area and having them champion security for you.
00:32
You cannot be everywhere, but these air your eyes and ears that you will engage with regularly. They will help you
00:40
stay up to date on what's working and was not working.
00:44
They are your posts on security within the organization.
00:49
Security champions
00:51
will help you
00:53
engage with
00:56
the security team. They will act as the voice of security
01:00
for a given product or a team, and they will insist in the triage of security bugs for their team or areas. So this is literally a win win all the way around,
01:14
identifying
01:15
key individuals in HR and finance and marketing development that you can communicate with regularly that can help you understand
01:27
which of your initiatives went over well, which ones are areas for improvement and which ones you may need to relax and come bring them back into the lab and refine and try again.
01:41
As I mentioned, you can't be everywhere all the time, depending on the size of your organization.
01:47
So considered easier liaisons in each individual department that could give you that inside information. Good inside information on
01:57
how your initiatives are being received.
02:01
Um, so one of the things that I think that you should also roll into this is
02:08
a way to incentivize
02:10
your security champions to participate.
02:14
Um, and what I mean by that Maybe it's, you know, taking them to lunch once 1/4. Maybe it's a gift card Amazon who don't like the Amazon gift card,
02:25
but something that will encourage them to seek a solicit feedback from their peers and report that back to you.
02:35
And that's only gonna help you refine, tweak And, um, you know, roll your program out in such a manner that is being effective and not ah, hinderance. You're not being that blocker to security
02:54
security awareness training.
02:58
That's always ah,
03:00
when I think security awareness training, I always think about that that click exercise and power point. You get that email that say Hey, it's time for you to complete your annual security awareness training um And then, you know, you open the power point or
03:16
whatever delivery mechanism is, and you click, click, click through it. You make it to the end,
03:23
you know? And then is it you print sign
03:27
and submit it back.
03:29
So purity awareness training in 2020 does not work like that?
03:35
Uh, it should not be a point in time effort. It needs to be continuous. It should be engaging. It should educate and empower.
03:46
What I mean by that is, um and I'll use on example that that we take
03:52
is we take a game of fried approach to our security awareness training. Um, the company that we use provides
04:01
content monthly, but it pulls information from breaches that we've all seen and heard about, but it makes it plain, so it's not overly technical, and it as, ah entertaining twist to it.
04:18
But one thing that I've seen in our organization is
04:23
I've seen the results of a continuous,
04:28
entertaining and gamma fied approach to security awareness training. He probably What do you mean?
04:33
We get more inbound questions around email and fishing and suspicious emails in particular that we weren't getting before we took this approach. So we're regularly educating our employees
04:48
and not only their employees. We've made the security awareness training available to their families so they can share these episodes with their families. And now we're building a culture or ecosystem of security
05:04
that they will take home with them and their kids, their family, their parents or whomever they choose to share it with
05:12
will be
05:14
better educated and better able to protect themselves from ransomware phishing attacks and things like that. So that point in time click exercise of security awareness training may check a box, but is really not fostering a culture
05:33
of,
05:34
um, security wing in an organization. Nor is it an empowering your employees. You know, I'm a big believer of taking the carrot and not the stick approach.
05:46
What I mean by that is
05:47
yes, we get Mawr inbound tickets and two security asking about the validity or safety of email. But I would much rather have
05:58
that happened then have ah employees afraid it's a click email and take no action or just not care and go click happy because attacker only has to be right once.
06:13
So I will
06:15
take
06:15
the uptick and inbound activity through tickets any day. Because I know the training is working
06:30
security policies.
06:32
Do your employees know what your security policies are? Do they know where they are? Um, regularly communicated? Are they easy to find and understand?
06:45
When was the last time you actually reviewed and updated them? This is one of the things that,
06:53
um often goes under the radar. If you're not pursuing regulatory compliance is and certifications like ISO 27,001 are socked to. Your policies are stale. Have they adapted to,
07:10
you know, change right now as I'm filming this, I've been working from home for the past seven weeks because of the cove. It 19 pandemic,
07:20
Um, were your, you know, work from home policies prepared for prolonged work from home. If you wore organization that typically didn't allow work from home. Um,
07:33
what do your business continuity plans look like? You're incident response policies.
07:39
Um, are they communicated to the board? Does your executive team know who's on the incident? Response ing? Are they on the incident response team and not know it? Have you clearly defined roles in your security documentation?
07:56
So this is the area that a lot of security. People don't necessarily enjoy documentation that no documentation is not big on my list, but it's a necessary evil, and it
08:11
once you do it once, the updates are relatively painless. But it's something that you know you definitely need to have in place. But this is one of those things that
08:22
you can also go a long way
08:26
for, um,
08:28
differentiating your company from other companies. I mentioned that I'm filming this from home, and I've been working wrong because of covert 19 but we've seen a lot of customers
08:41
email us toe, ask us about our business continuity policies. What specific you know, elements of it prepared us to continue business in a pro long and uncertain work from home of scenario.
08:58
So luckily, we had just completed an audit and all of our policies were fresh. But that's just one of those things I will uses as an example that you should always keep your documentation up to
09:16
par because you never know when I auditor or regulator may come in and ask you to produce these documents

Up Next

Revenue Protection as a CISO

In this course you will learn strategies to transform the way your security program is viewed.

Instructed By

Instructor Profile Image
Terence Jackson
Chief Information Security and Privacy Officer
Instructor