When I was given the challenge to manage a division of IT, I said “Yes” without flinching. The challenge was to manage a division that was growing exponentially due to the number of new employees the company was hiring while creating and promoting a culture of cybersecurity awareness.
My job as an IT Manager would come with many roles because it wasn’t just about managing people as you might think. The responsibilities are diverse from Project Management, Implementing those projects & running them (a.k.a, Operations).
Also had to educate and train the personnel that will be working with the newly implemented system while managing the Help Desk who was taking care of the computer and system users.
Of course, I had teams of professionals working with me running these operations and reporting to me.
The key here is to be aware of your surroundings as a manager. This means that you should never lose touch with the people working on the floor and I don’t mean just your team of employees. I also mean the computer users, system users, manufacturing personnel, Laboratory personnel, management personnel. In fact everyone.
How do you do this?
Simple. Get out of your comfortable chair and start walking the facilities. Start talking to the people, how they are doing. Keep your conversations on a 50% professional, 50% personal ratio (without going too deep in the personal stuff).
This ratio will allow you to get into the thoughts of the people and try to understand things that are behind any possible issue that they will come up with later. Sometimes when people come up with computer or system issues, it has to do more because of their own distractions and can’t get past some process or call-for-action screen.
For example, a user can’t get into a system because they didn’t observe while the system asked them to change their password because they were so distracted that they just kept clicking enter without seeing the prompt screen.
I just guide them on how to proceed to change the password and advice them on observing the prompt screen, never assuming that it will always be the same prompt.
This could save a call to the Help Desk.
Awareness begins in the house
I also asked my team to do the same thing. I wanted them to walk around the facilities and talk to people. Be familiar with them and let them see your faces.
They do this with a purpose. They get familiar with everyone by creating a bond that will create trust. This trust is very important if we want to keep our eyes and ears on the ground. Call it the old fashion network monitoring system that will never fail you.
This helps a team to understand the basics of social engineering. There is no social engineering if there isn’t anything social about it.
How the team learns to create bonds and cultivate courteous relationships is the beginning of a process that will allow you as a manager to instill a principle that will stay with them forever. Mostly, it will allow you to leverage it to implement your programs and projects with a more solid communication with your users.
Example of an Awareness Initiative
One of the many projects that I was responsible for was the Identity Management Program. My team was in charge of educating 100% of Computer Users in order for the company to stay in compliance with the government’s regulatory agencies. This included top management (VP’s or C-Suites, whatever you want to call it), to the user that will execute a specific process that if not done properly, would cause a halt on the manufacturing production, which could cost millions.
I saw an opportunity in this program to leverage it and begin what I called the indoctrination of security awareness (later called cybersecurity awareness). Because I was working in the pharmaceutical industry, and we had to document all actions, what we did was to write a Standard Operating Procedure (SOP) that gave structure to the awareness process.
These program served different purposes. One purpose was to keep a database of all computer users and match them with all the systems they were using and one universal ID to identify these users on the Identity Management System (IdM). This system was also used by the Help Desk to identify a user who’s calling to report an incident with their computer or system application.
Because of this system, I had to let everyone know of its existence for verifying their “Real ID”. This wasn’t done just by sending email promotions. We had to create several training sessions for all working shifts and make sure that 100% of computer users, which basically were all the employees, went through these awareness training.
Today, every single user has a computer ID. The reason for this is because they need access to their pay stubs as every check is directly deposited into their bank accounts. No more killing trees.
We taught everything from how to properly log into our network, what kind of communications they can expect from the IT department in case of emergency, and how to protect their computers and their IDs. Every new employee had to go through this awareness training. If they didn’t take this training, then they couldn’t access a computer and therefore, no job.
This training also applied to contractors that required access to our network.
How we kept information fresh and updated
We kept our company informed of any eventuality, such as a system maintenance or outage, but also we were clear and truthful when we had a system issue and needed to be taken care of. We never had a serious breach of our networks or facilities while I was responsible but my team was prepared for it in case it could happen.
It doesn’t mean that we were that good. No one really is. Never let your ego swell your head. It just means that we had systems in place to protect us.
I know from experience that I can only minimize risks and threats, but never eliminate them. That would be utopic.
Whenever there was new information pertinent to everyone that we thought could be shared, we sent it via email as part of the awareness program. If there was new information that impacted the SOP somehow, for example, a new login process or anything that had to do with the existent process for managing the IdM, then we had to retrain 100% of computer users to be in compliance.
Putting the word “Culture” into Cybersecurity Awareness
Promoting cybersecurity awareness is one thing, but making sure that the people are self-aware is another. The way we made sure about having this behavior ingrained into the culture of the company, was to have every single employee participate in the program. This included top management as well, no excuses and no negotiations out of this one.
When the program was implemented the first time, existing employees had to go to the new training and from then on they knew that any deviation from the SOP, would incur in a violation that would be documented into their employee’s record with an impact into their performance appraisals.
New employees saw first hand how serious we were about our cybersecurity and awareness program. This training was part of their curriculum training to perform the job and the HR department made sure that this was included in the employee’s record.
I just shared with you a real example of how to create and promote cybersecurity awareness. What’s your experience in promoting or receiving awareness? Does your company has a cybersecurity awareness program?
by Edgar Vera, MS Cybersecurity