cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer III

CyberSecurity Awareness Program recommendations

Hi!

 

I have been tasked by my organisation to propose and implement a cyber-security awareness program within 6 months, with mandatory training elements. Org: government regulator, staff: 60 % are male aged 40+, Budget: limited.

 

Full disclosure: this is my first time at the rodeo with regards to such a project and I would appreciate any assistance that will enable me to deliver this requirement in an engaging, efficient and effective manner. If you have created your own program or leveraged the services of a 3rd Party, I'd love to hear from you! 

 

Thanks!

8 Replies
Highlighted
Newcomer I

Re: CyberSecurity Awareness Program recommendations

I am 2 years into defining and now operating my first SAT program at small company (under 150 employees).   IMO the key factors are:

 

How much time do you have to work on the program per year?

How much time can each employee spend on being trained each year?

How will you measure effectiveness?

How much money do you have to spend annually?

 

I had  5K USD, 2 weeks to work on program, wanted data to drive my decisions, and had about 12 hours per year per staff.   I went with KnowBe4 because i immediately recognized that it met my requirements.  I did not look at other offerings, so i may have missed something.  I do not regret my choice.

 

Features of the implementation:

Regular Training about data privacy, regulations, phishing, and our information security policies.

Regular tests of staff's ability to spot and handle phishing attempts.

On boarding new employees.

 

Coming up:

Delivering software developer focused training  

 

 

If i had 2 months per year to work on this program (which i dont), i would 

1. Create a better incentive program for spotting test phish.

2. Be better at selecting content for individual employees and team needs.

3. Provide monthly sessions for folk to discuss security training and general issues.

 

 

Good luck!   

 - Mark

Highlighted
Community Champion

Re: CyberSecurity Awareness Program recommendations

> d46j48fx (Newcomer III) posted a new group topic in CISSP Group on 11-04-2019

> Hi!   I have been tasked by my organisation to propose and implement a
> cyber-security awareness program within 6 months, with mandatory training
> elements. Org: government regulator, staff: 60 % are male aged 40+, Budget:
> limited.   Full disclosure: this is my first time at the rodeo with regards to
> such a project and I would appreciate any assistance that will enable me to
> deliver this requirement in an engaging, efficient and effective manner. If you
> have created your own program or leveraged the services of a 3rd Party, I'd love
> to hear from you!    Thanks!

Check out https://www.noticebored.com/

Or, much cheaper (but requiring some work):
http://victoria.tc.ca/int-grps/books/techrev/bkinscab.rvw

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
In our opinion provable security is nothing more than a phantom,
similar to the perpetuum mobile in thermodynamics. - Joan Daemen
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Newcomer I

Re: CyberSecurity Awareness Program recommendations

Firstly, are you looking for a cyber security awareness program or an information security awareness program? Its a huge industry problem that we continue to use those term interchangeably and they are NOT the same thing. I am doing my best to bring awareness about this but its hard when even the big players are using the word "cyber" because its "sexy" and its what sells.

 

But with that said....

 

 

Here are a couple of FREE recommendations

My recommendation for a paid solution would be either

I would definitely start with the free resources and grow from there.

Highlighted
Newcomer III

Re: CyberSecurity Awareness Program recommendations

@brandenwagner , thanks for the recommendations; much appreciated! 

Hands-up...I'm guilty of the crime of interchanging the two terms.  I consider my wrists slapped 🙂   

Highlighted
Newcomer III

Re: CyberSecurity Awareness Program recommendations

@mmarlow , thanks for this response!  It certainly guides my steps with regards to this undertaking and wireframes it in a  way that I can grasp and run with. I have attended a few KnowBe4 webinars and my previous manager recommended them also.  Always good to get another "nod" 🙂  Thx!

Highlighted
Newcomer III

Re: CyberSecurity Awareness Program recommendations

@rslade , thx for your recommendations; much appreciated!

Highlighted
Community Manager

Re: CyberSecurity Awareness Program recommendations

We have a course on that from PDI (aka free for members of (ISC)²) - https://www.isc2.org/Development/Immersive-Courses/Building-Strong-Culture-of-Security

Highlighted
Contributor I

Re: CyberSecurity Awareness Program recommendations

Part of the tack I am taking with our Security Awareness is similar to CPE's.  While we have a base hour in the policy that will be provided by the Security Team annually, we have put 8 hours as a requirement per employee.  The additional 7 hours can be worked out between the employee and their supervisor.  Maybe the dev team needs someone with more threat modeling information, then one could go that way.  Maybe IT needs to do some in depth analysis of the security of a new technology or product.  Whatever the employee and supervisor agree on that is security related.  That way, it is more of a professional development process, and can adapt to different levels of experience and knowledge in the work force.