• 2/5/2016Mark Chapman—President & CEO of PhishLine
Part 2: Developing Your Program
The vendor selection process in Part 1 identifies some good questions to ask before starting an enterprise information security awareness program. Once the program is off the ground, where should it go?
PhishLine recommends a proven model to help maximize the effectiveness across the entire lifecycle of your information security awareness program. Our Information Security Awareness Operational Planning™ (ISA-OP™) services provide templates, software, and an experienced team to help both guide and learn from our customers. (Yes, I said learn from our customers. Nobody has all the answers because the questions change over time!)
At a high level, the model considers four basic perspectives of your security awareness program:
The Program Perspective looks at the overall scope, credibility, and effectiveness of the information security awareness program.
The Training Perspective looks at the traditional training aspects of the information security awareness program.
The Attacker Perspective uses mock social engineering and other vulnerability tests to simulate the view of an internal or external malicious attacker.
The Employee Perspective looks at the program from the perspective of all employees and organizational stakeholders.
A robust program will take advantage of overlaps between perspectives. For example, a Teachable Moment occurs at the intersection of the Attacker Perspective and the Training Perspective when a user receives an in-the-moment training opportunity by interacting with a mock phishing attack.
As your program matures from Basic to Intermediate to Advanced, focus on improving it across all four perspectives. Here are three simple ideas for each perspective level to drive the continuous improvement process:
A successful enterprise information security awareness program is dynamic and must evolve. The best advice is to define clear goals at each step to develop the program that works best for your organization for years to come.