Implementing a strategic, cost-effective awareness program can drastically reduce cyber-related risks. Iftekhar Alam, CISSP, CCSP, draws on hands-on experience to share practical guidance on integrating cybersecurity awareness initiatives into a government and public sector organization's assurance processes and audit reporting.

Iftekhar Alam, CISSP, CCSPDisclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

Unlike technology giants or financial institutions, Government bodies often lack the economic and human resources to support robust security training programs. In my capacity as a cybersecurity lead/vCISO for a government organization, one of my challenges was to improve the agency’s cybersecurity maturity.

With research indicating that nearly 50% of successful breaches involve social engineering tactics and with phishing remaining one of the most effective and straightforward methods for compromising systems, I initiated a cost-effective, targeted awareness program focused on these two most exploited attack vectors, prioritizing these two areas within the agency’s training strategy.

A Practical Approach

My first action was to conduct a comprehensive gap analysis of the existing awareness program, considering cybersecurity strategy, recent audit findings and historical security incident documentation.

Budgetary and resource constraints represent significant challenges for government organizations implementing any cybersecurity initiatives, particularly in the realm of security awareness programs. So, with these limitations in mind, I also convened internal subject matter experts to gather valuable insights. We systematically reviewed the current budget allocations, taking into account the existing security awareness program, training modules, learning platforms, audit reports, penetration testing reports and security incident reports. As a result of this thorough process, I established an opportunity to integrate training on social engineering and phishing scam threats into the broader staff development program.

In collaboration with the agency’s learning and development team, I developed modules focusing on the topics of social engineering and phishing attacks; completion of these was made mandatory for all new and existing staff members. However, to become endemic, cybersecurity awareness training needs to be ongoing process. To bring this about, I worked with the agency’s HR department to make the training modules essential requirements of the annual appraisal process for all personnel. Notably, no additional costs were incurred in the implementation of these training modules.

Impact of the Targeted Campaign

To assess the effectiveness of the program I conducted quarterly phishing simulation exercises, the results of which were subsequently included in the organization’s audit and board reports, along with the completion rates of the training modules.

Making annual undertaking of the training modules mandatory ensured completion rates reached 100% among employees. Following their implementation, we observed a substantial 40% reduction in incidents arising from phishing scams and social engineering attacks. Alongside this, social engineering attempts, including malicious phone calls from scammers, were reported significantly more frequently.

Documentation of these improvements in the audit report led the agency’s executives to recognize a marked enhancement in the overall cybersecurity posture, directly attributed to the effectiveness of our cybersecurity awareness program.

My Recommendations for a Successful Cybersecurity Awareness Program

The gap analysis is a fundamental step, requiring a comprehensive review of existing cybersecurity awareness initiatives, cybersecurity strategy, audit reports and historical security incident documentation. The information you learn is essential to identifying key areas for improvement within the program.

Executive leadership and management support is vital for the successful implementation of the cybersecurity awareness program; make sure you secure this. I secured support by articulating a well-structured business case that clearly demonstrated the return on investment (ROI) associated with the cybersecurity awareness program. My document incorporated several essential components: objectives, related costs, benefits, methodologies, pertinent cyber threats within the specific business context, along with anticipated outcomes. This step also encourages the establishment of mechanisms for gathering feedback regarding the program and to conduct regular evaluations, to prove that the business case was valid. As risks and threats continue to evolve, your program must adapt accordingly and a feedback mechanism will serve as a valuable indicator of its effectiveness.

Cybersecurity professionals or leaders need to assess the current threat landscape to design an effective cybersecurity awareness program. For example, during the development of my program, I conducted thorough research on contemporary threats by consulting sources such as the NIST’s CVSS database, cybersecurity threat intelligence (CTI) tools, government agency reports and open-source intelligence forums. Based on this research and the relevant business context, I opted to incorporate modules addressing social engineering and phishing scams into the cybersecurity awareness curriculum.

Conducting a review of security awareness programs from analogous organizations can yield significant time and resource savings. Therefore, it is advisable to review successful cybersecurity awareness initiatives from comparable entities.

I also suggest that, for optimal outcomes, cybersecurity leaders must integrate the cybersecurity awareness program within the broader cybersecurity strategy, assurance protocols, training/education and audit processes of the organization. Without such integration, the sustainability of the security awareness program may be jeopardized over time.

Conclusions

My experience illustrates that security posture can be enhanced through a focused approach to employee training, even in the context of budget and resource constraints. Even a focused cybersecurity awareness training initiative can lead to substantial enhancements in organizational security posture. The integration of our initiatives within broader assurance processes, along with a commitment to continuous evaluation, has enabled us to establish sustainable and effective awareness programs that yield enduring impacts.

Iftekhar Alam, CISSP, CCSP, has 18 years of experience in cybersecurity, working in industries such as finance, government and telecommunications. He has held business and technical leadership roles, with responsibility for vCISO services, GRC, AI, security operations, project management and the strategic delivery of cybersecurity programs.

Related Insights