Three C’s of Security Awareness:
Culture, Change and Creativity
Barbara McCrary
Chief Information Security Officer
The Three C’s of Security
• Culture
• Change
• Creativity
Culture, change, and
creativity are central to
protecting an
organization’s data and
assets.
Culture
• A Company’s Way of Life
–
–
–
–
Behavior and Practice
Standards
Habits and Routines
Traditions
Behavior and Practices
– Organization Silos
– Communication
– Productivity
– Environment
Change IT’s Ideas About
Effectual Security
• Update Standards
• Habits and Routines
– Process pertinent data first
– Simplify
• Automate Traditional Processes
Change
To improve security and security
awareness:
Change!
Keys to Change
• Protecting data is a shared
responsibility.
• Encourage active participation from
all stakeholders.
Change Everyone’s Idea of
Security Awareness Training
• Regular, daily, weekly, monthly
campaigns that look more like
conversations than training.
– Focused and Small Bites
– Reinforce
– Applicable
Change Everyone’s Idea
of Normal
• Inspire thought and conversation
about ethical computing.
– Change unethical norms.
– Redesign decision processes.
– Reinforce organizational ethics using
reminders and currently held
communication tools.
Creativity
What can we really do to
encourage ethical and secure
corporate behavior?
Get Creative!
Incorporate a Variety of
Awareness Tools
• Add security to process training.
• Send info on trending and current
events.
• Include info that applies to personal
lives, families and personal finance.
Designing Security
Awareness Materials
• Consider the differences:
– generations
– gender
– seniority
Summing It Up
To quote ― St. Francis of Assisi
“Start by doing what is necessary, then
what is possible, and suddenly you are
doing the impossible.”
QUESTIONS?