Episode 202: -Evaluating Your Security Program : Awareness & Education

Episode 202 - Evaluating Your Security Program: Awareness & Education Why Evaluate Your Program Part of annual policy review If you don't evaluate you will never improve Continual review will help protect your budget Awareness and Education is how most people in your org know the program Threat Mapping maps the outside threats to your inside controls & tech Communications is that final turn from the inside out Start At The Outside and Move Your Way In What do you think you do? Mandatory CBLs CyberCyberCyberStuff (Posters, Email, Swag) Briefings and Classes Phishing Awareness $NOVEL_IDEA How many people is it designed to engage? Not how many people took the awareness, how many people were ENGAGED? How many people were actually engaged? How did they do? (CBL completions, % phished, reviews, etc) If CBL_Completion = 15(clicks) then you may want to rethink that 0% phished is not a sign of a great security program...more likely a sign of a bad phishing program If there is no way to allow for anonymous reviews of training/briefings/etc then you're not likely to get fully honest reviews (Who wants to piss off security?) Are you being honest with yourself? How do you measure it? Measuring Awareness & Education Don't change the measurement...change the program The key to long term success is consistently measuring the same thing over time You may want to update goals (up or down) but be able to explain why especially if you are making the test easier Big changes in delivery will skew the numbers in ways you likely will not like Constant large turmoil is counter to most corporate cultures Small changes take advantage of previous investments best "Iterate small and grow larger" - doing too much too fast almost always ends is highly suboptimal results over time Don't make drastic changes until Year 3 unless you have to make drastic changes Clearly failing components should be axed and replaced and not tweaked around the edges - especially if there's a compliance or safety aspect Adjusting The Program If this feels like "Wash, Rinse, Repeat" it's because is it "Wash, Rinse, Repeat"

You can listen to Episode 202: -Evaluating Your Security Program : Awareness & Education online on Radio and Podcast. Open the player on this page to stream the available audio.

Episode 202: -Evaluating Your Security Program : Awareness & Education is an episode from The Southern Fried Security Podcast by Martin Fisher.

This episode is 33:36 long.

This episode was published on Jan 29, 2018.

Yes. Use the heart button on the episode page to add it to your favorite episodes list.

Yes. This page shows related episodes from The Southern Fried Security Podcast when more episodes are available from the podcast feed.