Episode 202: -Evaluating Your Security Program : Awareness & Education
The Southern Fried Security Podcast
Release Date: 01/29/2018
The Southern Fried Security Podcast
It's been 9 years and over 210 different content items since we started this thing in January of 2010. As much as we hate it we feel it's time to end this project and start thinking about What Comes Next. Don't worry - the episodes and website aren't going anywhere anytime soon so you'll still be able to download all the content. We're also discussing some new ideas to stay engaged with the cybersecurity community so you'll want to keep this feed live on your podcast listening device to catch updates on where we are on that. All of us would like to thank all of you for your support...
info_outlineThe Southern Fried Security Podcast
It's another Front Porch episode! Yvette talks to her friend Brandon Clark as his first novel "Ransomware" is about to be released. "Ransomware" is part of Brandon's "Killchain Chronicles" series that will be coming out over time. You can find the book here: We will be back soon with more great new content.
info_outlineThe Southern Fried Security Podcast
Episode 206 - The Front Porch…. Welcome to the first of an occasional series of episodes featuring conversations with a variety of interesting people from both inside and outside of information security. In this inaugural episode you get to listen to dinner conversation between Wendy Nather, Mike Rothman, Wolfgang Goerlich, and Martin Fisher that happened in Atlanta at the Atlas Restaurant. We cover a lot of topics that I’m sure you’ll find interesting. And, for the record, the “Aristocrat” cocktail at Atlas is something you must try. I appreciate...
info_outlineThe Southern Fried Security Podcast
We recorded this episode as the closing keynote at BSides Atlanta on May 5th, 2018. We want to give a big round of thanks to the organizers, volunteers, sponsors, and attendees of BSides Atlanta for a great venue and event. It was a great time and we hope to be there again next year.
info_outlineThe Southern Fried Security Podcast
Episode 204 - Evaluating Your Security Program: Communications Plan Why Evaluate Your Program Part of annual policy review If you don’t evaluate you will never improve Continual review will help protect your budget Awareness and Education is how most people in your org know the program Threat Mapping maps the outside threats to your inside controls & tech Communications is that final turn from the inside out Start At The Outside and Move Your Way In If Education & Awareness are how the employees engage the program then Communications is how the management team engage...
info_outlineThe Southern Fried Security Podcast
Show Notes Episode 203 - Evaluating Your Security Program: Threat Mapping Why Evaluate Your Program Part of annual policy review If you don’t evaluate you will never improve Continual review will help protect your budget Awareness and Education is how most people in your org know the program Threat Mapping maps the outside threats to your inside controls & tech Communications is that final turn from the inside out Start At The Outside and Move Your Way In How is this different from threat modeling? Threat modeling is listing what could happen to you. Threat mapping...
info_outlineThe Southern Fried Security Podcast
Episode 202 - Evaluating Your Security Program: Awareness & Education
info_outlineThe Southern Fried Security Podcast
We're going to use this episode to allow the cast to talk about reaching 200 episodes and you'll hear what *really* happened on the Lost Episode. We will be back in 2018 with more episodes. Until then be well and stay secure!
info_outlineThe Southern Fried Security Podcast
Episode 200 - Building A Security Strategy - Part III Recap Strategy vs Policy Understand the business of your Business Know who your stakeholders really are Capability = (Tech + Service) * Process Crawl, Walk, Run It Takes A Village The Question is “How do I make one?” Tech Tech, by itself, only consumes electricity and turns cool air into warm air So many choices…. The tech selection is the *least* critical one for developing a capability This is the “Stuff You Have To Do” Usually determined by regulation, policy, or corporate edict Describes a desired outcome - not...
info_outlineThe Southern Fried Security Podcast
Episode 199 - Building A Security Strategy - Part II Recap Strategy vs Policy Understand the business of your Business Know who your stakeholders really are Capability = (Tech + Service) * Process Crawl, Walk, Run It Takes A Village The Question is “How do I make one?” Almost no business is in the business of information security Follow The Money Understand The Decisioning Process “Culture Eats Strategy For Breakfast” Vocabulary Matters Understand the Business of Your Business Know the Formal and Informal Org Charts Influencers are as important as Deciders Beware the Spoiler...
info_outlineEpisode 202 - Evaluating Your Security Program: Awareness & Education
- Why Evaluate Your Program
-
- Part of annual policy review
- If you don’t evaluate you will never improve
- Continual review will help protect your budget
- Awareness and Education is how most people in your org know the program
- Threat Mapping maps the outside threats to your inside controls & tech
- Communications is that final turn from the inside out
- Start At The Outside and Move Your Way In
- What do you think you do?
-
- Mandatory CBLs
- CyberCyberCyberStuff (Posters, Email, Swag)
- Briefings and Classes
- Phishing Awareness
- $NOVEL_IDEA
- How many people is it designed to engage?
- Not how many people took the awareness, how many people were ENGAGED?
- How many people were actually engaged?
- How did they do? (CBL completions, % phished, reviews, etc)
- If CBL_Completion = 15(clicks) then you may want to rethink that
- 0% phished is not a sign of a great security program...more likely a sign of a bad phishing program
- If there is no way to allow for anonymous reviews of training/briefings/etc then you’re not likely to get fully honest reviews (Who wants to piss off security?)
- Are you being honest with yourself?
- How do you measure it?
- Measuring Awareness & Education
- Don’t change the measurement...change the program
-
- The key to long term success is consistently measuring the same thing over time
- You may want to update goals (up or down) but be able to explain why especially if you are making the test easier
- Big changes in delivery will skew the numbers in ways you likely will not like
- Constant large turmoil is counter to most corporate cultures
- Small changes take advantage of previous investments best
- “Iterate small and grow larger” - doing too much too fast almost always ends is highly suboptimal results over time
- Don’t make drastic changes until Year 3 unless you have to make drastic changes
- Clearly failing components should be axed and replaced and not tweaked around the edges - especially if there’s a compliance or safety aspect
- Adjusting The Program
- If this feels like “Wash, Rinse, Repeat” it’s because is it “Wash, Rinse, Repeat”