Blog

One of the challenges we face in the Industrial Control System (ICS) community is awareness. People maintaining our critical infrastructure do not realize how fragile and targeted the supporting cyber systems are, including PLCs, Relays, RTUs and entire SCADA networks. This poster was developed by a community team of industry ICS experts to help ICS Engineers and Operators understand just how much they are a target and why. As always, the first step to changing behaviors is engagement, and the first step to engagement is ensuring people know they are a target. Feel free to download, print and distribute this poster amongst your organization and peers. Download now a

Security awareness has gone through immense changes in the past two years. It has quickly grown from a compliance driven, once a year dreaded event to an engaging solution focused on changing behaviors. Here are the top three indicators a program is truly a 'next generation' awareness program.

1. Behavior: The biggest indicator is the organization's goal. If they are focusing on just compliance, if their program is nothing more than a once a year power point presentation, you have an 'old school' program. It will never have an impact because it was never designed to. Next generation awareness programs are focused from the ground up to change behavior. The organization has done a

Folks, I'm excited to announce there are two more upcoming SANS MGT 433 courses. This is SANS' two day course on how to build high-impact, engaging security awareness programs. The content is based on the input, experiences and lessons learned of over 200 organizations. Students love the interaction with their peers and as part of the course labs you will build your own security awareness deployment plan. Learn more about the course at the SANS MGT 433 website. Upcoming dates include

• SANS San Diego - 15/16 May


• SANSFIRE DC - 15/16 June

One of the biggest challenges security awareness faces is one of perception, many people in the security community have the misconception that awareness does not work. That is because they are basing their judgements on the past. Security awareness has traditionally been horribly broken, it had nothing to do with changing behaviors or even people, they were (and many still are) focused only on compliance. It doesn't take much to be compliant for awareness, all you need is a single presentation once a year or perhaps a quarterly newsletter. Anyone can easily figure out you will never have any impact with something so limited.

Things have radically changed for awareness recently. I've seen a huge, fundamental shift where organizations are designing awareness programs from the ground up focused on changing behavior. The new awareness programs of today are dynamic, creative, engaging and continuously reaching out to people. Structure is being added to awareness programs,

A common challenge for an effective security awareness program is continuously reaching out to employees/staff in a fun and engaging manner. Training people once a year may keep auditors happy but will not change behavior. As such, you always want to be thinking of different ways you can reach out to people. The new hire process is a great place to start. While "new hire" training is the first thing that comes to mind, there are other options to consider.

For many organizations, one of the first steps in any new hire process is delivering a new computer and/or mobile device to the new hire. With that new hardware why not include a simple handout explaining how to keep that hardware secure. This is even more helpful for organizations that have remote employees and the IT team cannot deliver hardware or train people in person. While some organizations already do this, the key to engagement is how the handouts communicate their lessons. Do not state nor