Build an Adaptive Awareness Program Based on NIST's Cybersecurity Framework

Transcription

1 1 Build an Adaptive Awareness Program Based on NIST's Cybersecurity Framework

2 INTRODUCTION Why Use the Cybersecurity Framework (CSF) for Security Awareness? Why Aspire to "Tier 4"? Components of a Tier 4 Program: Analyze, Plan, Train, Reinforce ADAPT! Or, Putting It All Together with a Tier 4 Program

3 WHY USE THE CSF? 3

4 WHY FOR AWARENESS? 4

5 WHY FOR AWARENESS? 5

6 WHY FOR YOU? You recognize the value of using the CSF You recognize the risks associated with human behavior You're ready to create or expand an awareness program to address those risks You'd be open to creating an Adaptive Tier 4 program you can really be proud of 6

7 FOUR TIERS Tier 1: Partial Tier 2: Risk Informed Tier 3: Repeatable Tier 4: Adaptive 7

8 WHAT'S A TIER 4 PROGRAM? 8

9 WHAT'S A TIER 4 PROGRAM? predictive indicators continuous improvement actively adapts part of organizational culture 9

10 PROGRAM COMPONENTS 10

11 ANALYZE 11

12 ANALYZE Factors to Consider: Surveys / Knowledge Assessments Phishing / Social Engineering Password Detection Incident Reporting Training/Reinforcement Completions Other? SIEM, DLP, and a wide range of other UBA tools 12

13 ANALYZE EXAMPLES 13

14 PLAN 14

15 PLAN Factors to Consider: What are your key risks? What behavior do you want to change? What tools will you use to bring about change (training and reinforcement)? How will you measure knowledge and behaviors (current and future)? 15

16 PLAN EXAMPLE 16

17 PLAN EXAMPLE 17

18 TRAIN 18

19 TRAINING STILL MATTERS Single best vehicle to communicate risks and identify best practices Should adapt to your employee risk profiles Provides an auditable record when tracked by a LMS 19

20 TRAIN Factors to Consider: Web-Based or In-Person Build vs. Buy Easy to Refresh and/or Customize Required or Not Trackable **Does It Change Behavior? ** **Does it Support a Risk-Aware Culture? ** 20

21 TRAINING & BEHAVIOR CHANGE 21

22 REINFORCE 22

23 REINFORCE Factors to Consider: Cost Affordable and even free. Best bang for the buck! Cultural Fit Humor is tricky Aesthetics are subjective Know your company culture Logistics Consider hidden costs 23

24 REINFORCEMENT GIVEAWAYS 24

25 ADAPT! 25

26 YOUR MATURITY LEVEL TIER ANALYZE PLAN TRAIN REINFORCE L4 ADAPTIVE Frequent, context-specific use of analytical tools to understand risk; communicate changes in risk to stakeholders and end users; and generate data that informs the deployment of other program elements Risk-based year-round plan based on both general and organizationspecific knowledge that anticipates shifts in plan based on range of indicators from multiple Adaptive Framework programs Multiple training elements, including role- and risk-based elements, that are customized to meet corporate culture, and readily modified to meet changing risks Regular deployment of a wide range of communications, aligned with known and emerging risks as revealed through regular program analysis L3 REPEATABLE Regular use of multiple analytical tools to understand risk and communicate to stakeholders and end users Risk-based plan based on both general and organization-specific knowledge that identifies and deploys specific training, reinforcement, and analysis across time Multiple training elements designed to meet the varying risk profiles and training needs of different groups within organization Regular, planned deployment of risk-based communications that directly align with training and use a variety of communication styles L2 RISK INFORMED Regular but limited use of analytical tools to understand risk exposure; may or may not be aligned to other program elements or communicated to stakeholders Risk-based plan based on general knowledge that identifies limited number of training, reinforcement, and analysis options All-hands, risk-based training to educate on broad principles Periodic usage of risk-aligned communications; may or may not be aligned with training L1 PARTIAL Occasional, informal, and/or standalone efforts at risk analysis Informal planning based on anecdotal understanding of risks Informal, perhaps ad hoc training, with generic coverage of risks Opportunistic, ad hoc usage of informal communication pieces about risk 26

27 YOUR MATURITY LEVEL TIER ANALYZE PLAN TRAIN REINFORCE Frequent, context-specific use of Risk-based year-round plan based analytical tools to understand risk; Multiple training elements, Regular deployment of a wide on both general and organizationspecific knowledge that anticipates communicate changes in risk to including role- and risk-based range of communications, aligned L4 ADAPTIVE stakeholders and end users; and elements, that are customized to with known and emerging risks as ANALYZE shifts PLAN in plan based on range of TRAIN REINFORCE generate data that informs the meet corporate culture, and readily revealed through regular program indicators from multiple Adaptive deployment of other program modified to meet changing risks analysis Framework programs elements Frequent, context-specific use of analytical tools to understand risk; communicate changes in L3 REPEATABLE risk to stakeholders and end users; and generate data that informs the deployment of other program elements L2 RISK INFORMED Regular use of multiple analytical tools to understand risk and communicate to stakeholders and end users Risk-based year-round plan based on both general and organization-specific knowledge that anticipates shifts in plan based on range of indicators from multiple Adaptive Risk-based plan based on both general and organization-specific knowledge that identifies and deploys specific training, reinforcement, and analysis across time Regular but limited use of analytical Risk-based plan based on general tools to understand risk Framework exposure; knowledge programs that identifies limited may or may not be aligned to other number of training, reinforcement, program elements or and analysis options communicated to stakeholders Multiple training elements, including roleand risk-based elements, that are customized to meet corporate culture, and readily modified to meet changing risks Multiple training elements designed to meet the varying risk profiles and training needs of different groups within organization All-hands, risk-based training to educate on broad principles Regular deployment of a wide Regular, range planned of deployment of risk-based communications that communications, directly align with training aligned and use with a variety known of communication and emerging styles risks as revealed through regular program analysis Periodic usage of risk-aligned communications; may or may not be aligned with training L1 PARTIAL Occasional, informal, and/or standalone efforts at risk analysis Informal planning based on anecdotal understanding of risks Informal, perhaps ad hoc training, with generic coverage of risks Opportunistic, ad hoc usage of informal communication pieces about risk 27

28 ADAPTIVE PROGRAM EXAMPLE 1. Survey employees to get baseline results. 2. Phish your employees. 3. Plan your overall effort--but be flexible. 4. Announce the overall awareness program to all employees. 5. Train all employees on security principles. 6. Reinforce on the highest risks. 7. Analyze and Adapt More surveys Phishing fails with deeper phishing training Use role-based training for functional areas Use personal follow-up messages to reinforce pressure points 28

29 FREE STUFF! Awareness Maturity Model surveys.mediapro.com/maturity Planning Template Reinforcement Animations 29

30 THANK YOU! Steven Conrad Managing Director, MediaPro Tom Pendergast, Ph.D. Chief Strategist, Security, Privacy, and Compliance, MediaPro

31 Thank You!