But it's not as simple as deciding to do it, he notes. Most security awareness programs inside organizations accomplish little, he says. But the reason is that they weren't actually designed to be effective.
Start with a Security Awareness Steering Committee
To begin, he says, you should first establish a security training steering committee. The steering committee should be composed of five to 10 volunteers from a mix of departments and roles that can help to plan, execute and maintain the program. Spitzner recommends including people from audit and legal in the steering committee. He notes that the members of the committee should not only be guides, but ambassadors for the program that help get the members of their organizations on board.
Answer the 'Who,' 'What' and 'How'
Once established, the steering committee needs to create a plan that answers three questions: who, what and how. 'Who' is first. Spitzner says one of the most common mistakes he sees is companies that attempt to create a monolithic security awareness and training program.
"A lot of awareness programs are simply ad hoc," he says. "A proper plan identifies who you are targeting and the scope."
In many cases, different targets-general employees/contractors, IT staff, help desk, senior management-will require different training programs.
"You need to teach absolutely everyone in your organization that touches any data," Spitzner says.
Once the targets are identified, the steering committee needs to determine what each target needs to learn. Spitzner recommends that instead of trying to teach a little bit of everything, the training program should focus on a few topics that will have a big impact. Each organization's needs and risks will be different, so a risk assessment on each topic would be helpful. Common topics include: passwords, social engineering, compliance, email and instant messaging, browsing and browsers, social networking, mobile device security, data protection and data destruction.
The steering committee then needs to determine how it will engage employees.
"How are you going to communicate this? You have to think of awareness as a product," Spitzner says. "You have to think of engagement. Don't focus on the benefits to the organization. Focus on the benefits to the employees. In most cases, this education benefits employees both in their personal life and in the organization. If you focus on the benefits people get in their personal life, you get tremendous engagement, tremendous benefit."
Take a Modular Approach