A CISO’s guide to: Security awareness on a shoestring15 May 2019
Limited budget doesn’t mean limited information security awareness.
The Project Management Triangle states you can only achieve two of the three basic project axes – quality, budget and schedule. For example, a low-quality project can be completed quickly and within budget.
Similarly, sacrificing (increasing) budget means you can complete on time and to required quality.
But what if you are charged with project responsibility and only given two axes – quality and schedule to work with? What if you have little or no budget?
In an ideal information security world, all organisations would spend significant time and budget doing baseline research, developing a strategy and deploying a thorough and bespoke awareness training programme, based on learning, communication and engagement. Now of course, the reality is that not all organisations can afford this. Money is not infinite, nor even plentiful for some data-sensitive organisations. In this case, how do you best utilise a small budget for information security awareness?
Let’s look at this through the prism of how decision makers — who perhaps work for a charity or small organisation and/or have minimal buying power — empowers themselves to deliver a robust information security awareness programme on a shoestring.
Strategy – take only what you need
With the best will in the world, you are not going to be able to do everything. So, first assess the lie of your information security land. Are you a national operation with a central office and local branches staffed by low-paid employees and/or volunteers? Or regional with a similar, but smaller set-up? Or local with few, if any branches? How much data does your organisation deal with and what type — commercial, client, sensitive (as defined by GDPR)?
Stick to the basics to help keep the cost down. Provide information security awareness training only in areas that have most relevance to your operation. For example, if you are a charity with many employees located in high street shops, you may want to concentrate on:
- Information security basics/overview (including GDPR).
- Strong password creation and management.
- Payment Card Industry Data Security Standard (PCI DSS).
- Physical security.
If you are a B2B operation working with prospect/client commercial data, maybe add areas such as phishing and using email and the internet securely to the list above.
In both examples, subject areas such as working away from the office and information security for IT developers are probably not relevant and so, while nice to have, are not priorities.
Does nearly free work for you?
While there may not be such a thing as a free lunch, low-cost online information security awareness training does exist. This channel is surprisingly cost-effective and greatly and demonstrably improves the knowledge of those who take the courses. As well as the accepted benefit of people being able to learn at a convenient time and at their own pace, another major plus point is that with modular online solutions, you can choose training for only the most critical areas of your business (following your ‘take only what you need’ strategy).
Check out The Security Company’s off-the-shelf eLearning solution modules for some low-cost, easy-to-implement options.
Advice is free – call the cops
When information security concerns move governments, police and other authorities to provide free guidance, advice, materials and training, you know it’s serious. Taking advantage of this official form of help is a no-brainer when putting together your low to no cost information security awareness solution.
- The National Cyber Security Centre — part of GCHQ — offers advice, guidance and articles across a comprehensive range of subjects.
- The Metropolitan Police offers great practical advice on how to avoid cybercrime.
- The Department for Digital, Culture, Media and Sport – a UK Government department – provides free online training for businesses as well as a host of other useful help and advice.
How about completely free?
To complement the training you provide, there are free materials available to reinforce the learning. These include posters, infographics, screensavers, videos, and more. Googling ‘free information security awareness training materials’ will show where to find useful material FOC. For example, this YouTube video powerfully shows the need to maintain your social privacy settings: How private is your personal information?
Squaring the triangle
When it comes to delivering an impactful information security awareness programme on a shoestring, there are three principal areas to consider:
- Assess your critical information security areas and focus only on these — forget the nice to haves
- Use online learning as your programme platform — highly recommended for cost-effectiveness
- Maximise the use of free guidance and materials – Google is your best friend here (“other search engines are available”)
If you are working to a restricted information security budget, we’d love to hear the unique ways you deliver results with only the time and quality axes of the Project Management Triangle at your disposal — feel free to contact me at firstname.lastname@example.org