Learn more about creating your own Security Program.
Next StepsThis section explains how the Cisco Security Education Program was designed and executed, and provides examples and templates you can use.
» Go Now
Even though a company's workforce may be well-informed about hardware and software security, they may still be vulnerable when it comes to the front lines of cybercrime. Like many companies, Cisco is engaged in a running technical battle to protect its service offerings from fraudulent use. We are also actively engaged in the human side of this issue: the areas of social engineering and social networking.
Cisco has embedded security into corporate initiatives and into our code of business conduct; as a result, employees are assimilating security in their daily activities. With educated employees and raised awareness throughout the organization, everyone works together toward the common goal of keeping us and our partners and customers secure.
The Cisco Security Education Program helps to:
- Make security pervasive, extensive, and unobtrusive across the company
- Change behavior through active, positive reinforcement, rewards and incentives, and cross-collaboration
- Protect intellectual assets and computing resources
The Security Education Program is essentially an internal marketing campaign to raise awareness about security risks and promote corresponding good practices across the organization. This program is supported by Cisco executive leadership as well as regular employees. It has mandatory and opt-in elements, and is positive and motivational.
The Cisco Security Education Program team consists mostly of volunteer employees worldwide who have a passion for security. The team creates the global security strategy, with global messaging and branding. It plans the program's worldwide goals, and then introduces awareness campaigns on a local, regional basis, allocating resources as needed. All local initiatives follow the global branding to help ensure a consistent, coherent look and feel for all security deliverables.
For the past five years, Cisco's Security Education Program has focused on those aspects of security that relate to human behavior, with awareness campaigns on tailgating, theft, being aware of your circumstances when you're working while on the road, and document security. In the last year, we've added campaigns on social engineering and social networking to raise awareness in areas where our natural human instincts to befriend each other and gather in like-minded groups are, paradoxically, what put us most at risk.
Create Your Own Security Program
Click on the items below to read a step-by-step guide to creating and executing a security education plan in your organization, with examples from Cisco's own experience.
We hope this material will help you set up an awareness program at your company. We welcome your feedback. We would like to learn from you, too, so let us know what you would like more of.
Security is about risk tolerance, an individual's actions and responsibilities, and applied technology. At Cisco, we are all accountable for our actions and rewarded for leadership behaviors that help keep our customers, partners, suppliers, and ourselves as secure as possible. Awareness and education are vital for our success.- John N. Stewart,
Cisco Vice President and Chief Security Officer
Once you have established the need for a Security Education Program, you will need to assign resources, assemble a team, and decide on branding.
Dedicate someone to lead your program and focus 100 percent of their energy on security education across the organization. Be sure to appoint an individual who has exemplary communications skills, and knows how to sell, market, and build relationships. The Cisco Security Education Program is led by a communications expert, rather than by an engineer or technical expert, because the main focus of the program is the creation of a pervasive mindset about security.
Be sure to get support from upper management. When the Chief Executive Officer says security is important and practices what he or she preaches, employees take notice.
With minimal resources to carry out the program, it is important to build strong relationships, engage influencers, and nurture those connections. The Cisco Security Education Program team consists mostly of volunteer employees worldwide who have a passion for security. The global team creates the global security strategy, with global messaging and branding. It plans the program's worldwide goals, and then introduces awareness campaigns on a local, regional basis, allocating resources as needed. All local initiatives follow the global branding, to help ensure a consistent, coherent look and feel for all security deliverables.
Once you have established your team, you can begin building out your Security Education Program.
Some security risks result from technology failures, but most result from human behavior. People take unsafe measures to save time and effort, and may lack awareness about the security risk involved.
The best way to find out what security risks threaten your organization is to ask your employees. They are the eyes and ears of the workplace. Also, ask your information security department about risks they may have identified. For example, employees who download illegal movies, music, and software without permission are not going to talk about it. But the security team may be monitoring the network, and may see this behavior as a big risk.
Cisco has categorized its employees according to their role, business unit, and region. Each group has specific security needs. For example, engineers, being technical, might decide to disable a security setting because it slows them down, or they might install their own firewall. Sales representatives have a different set of risks. Since they travel often, they might use a laptop on an unsecured wireless network, or read confidential documents during a plane flight without using a privacy filter.
Employees in different regions also have particular needs. Being culturally relevant and appropriate was vitally important to the Cisco program.
It is important to not only ask what risks different groups see themselves and their peers taking, but how they could combat these risks. By customizing your message to target organizational and regional cultures in the right way, you are more likely to make a difference.
Cisco used interviews and focus groups, and asked each group of employees the following questions:
- What do you see as a risk?
- Why do you consider it a risk?
- How do you think we should combat this risk?
- How should we communicate with you?
We gained a tremendous amount of insight through those sessions.
- Engineers: Cisco interviewed engineers in depth, across different disciplines, grade levels, and countries. They identify tailgating (following someone into a building or protected area) as a high-security risk. In terms of their preferred method of communication of training materials, 80 percent said they preferred using short, web-delivered videos.
- Sales representatives: When interviewed at our annual global sales meeting, Cisco sales representatives helped identify awareness of surroundings as a risk. Confidential information is frequently discussed over lunch at the local restaurant. In terms of communication, sales representatives need a compelling story to feel motivated to take action, and want to know the worst-case scenario. They also need to know what they gain if they make the extra effort to avoid a risk.
Based on your research, as well as on industry research and trends reported in the media, you may find several areas of risky behavior that need to be addressed. However, it is best to focus on the top three or four that can be addressed by an awareness program, rather than try to address everything at once. If you try to do too much, you risk overloading employees with information, and you will lose their awareness. By focusing on a few risks at a time, you can help ensure clear, consistent communication that employees can understand and act on, and you can more easily measure its effect.
Once you have identified the risky behaviors you want to target, define clear messaging to address, and fight each risk. Here are some examples Cisco has targeted:
This is the practice of following someone who has a valid company ID through an open door, and is also known as piggybacking. Tailgating is easy to do, and is often practiced by people with valid ID badges.
Tailgating is one of the biggest threats to a highly-secure environment, particularly in larger offices, facilities, or public buildings with large numbers of people, where it becomes virtually impossible for employees to be expected to recognize each other. Tailgating circumvents the physical access controls necessary to prevent property and information theft. Laptops are the most common stolen item. Cisco has documented incidents where planned tailgaters entered through the security doors and stole Cisco assets. The planned tailgaters exploit the no-tech link: people.
To address this security problem, Cisco determined that it was necessary to educate employees about the dangers of tailgating, and how to politely challenge people to show their badge. If someone refuses, for any reason, an employee is encouraged not to let the person in, but instead to ask them to report to security for a replacement badge.
A clear Data Classification Policy helps employees determine the relative sensitivity of documentation (including presentations, web content, and emails), and how it should be protected and disclosed internally or to other parties. Concise labeling guidelines help keep intellectual property and sensitive data highly secure.
Cisco uses several levels of classification to evaluate the sensitivity of data and define specific data protection requirements. The company specifies requirements for the protection of data at rest, in motion, and in use. Whether in the form of a document, an email, or even a verbal communication, valuable intellectual property must be protected. Cisco security policies require that classified information be stored safely in a file or disposed of in a Confidential Bin, and not left in the open. For example, when a confidential document is printed, it should be retrieved from the printer as soon as possible. Confidential Bins are located in each mailroom for proper disposal of documents.
Awareness of Surroundings
We open ourselves up to information security breaches when we least expect it. For example, imagine you are talking about your newly assigned project while waiting in line at the local coffee shop. Although the conversation is intended for you and your co-worker, are you certain that the person behind you is not listening?
Being aware of your surroundings is a habit Cisco seeks to foster in its employees, in order to encourage them to be vigilant about not divulging confidential work-related information in public forums. Cisco has also started a privacy filter campaign to encourage employees to request and install a privacy filter on their laptops, which prevents people from reading the content.
Social engineering is a growing threat, and administrative assistants are the main targets of social engineering attacks. Attackers seek to manipulate people into performing actions or divulging confidential information. They call into companies, posing as someone else, and ask for contact information or details. Often, the callers identify themselves as company employees, and are able to provide directory information. This leads the recipients of the phone calls to believe that the callers are employees who are conducting company business. Social engineering exploits our natural, human urge to be of help.
One particular incident involved a caller who claimed to be a company employee and to have an urgent contract that needed to be signed by a Senior Vice President. The caller used several tactics to gain information:
- Claimed that her system was down
- Said that she had an urgent deadline that required a signature by the close of business day
- Requested the cell phone number of a Senior Vice President
- Used multiple calls to gather information, including the phone number of the Vice President's administrative assistant.
The caller was unsuccessful as the employee followed guidance and the caller was unable to manipulate the employee into an action which would have put the company at risk. Another suspicious call came from a person who said she was from an organization researching the "top IT managers in the industry," and then asked for another IT manager's contact information.
To help keep your company safe from social engineering, Cisco publicizes these security tips for anyone receiving phone calls:
- Do not discuss or provide any company information until you confirm the caller's identity as an employee by using the corporate directory.
- Ask the caller to provide a phone number that you can use to return his or her call. The caller should provide a company number (any number listed in the corporate directory). You can offer to send information to a highly-secure company voicemail or email account, or you can transfer the caller directly to the person requested without providing their contact details.
- Never provide employee, project, or company details to strangers or external email accounts.
- Take notes of a suspect caller, such as a particular accent, caller ID, date, time, and duration of call. File a report with security.
Based on your target risks, you can now plan an awareness campaign to address each target area. For each campaign, you will need a variety of deliverables.
Different employee types need different types of material. For example, employees may not all use email the same way. Also, employees who spend the majority of their time on the road likely will not see a poster hanging in the mailroom, and may not have the bandwidth to access lengthy videos. Employees in different regions also differ as to which material has the greatest impact. An appropriate means of communication in one culture may not work in another. So you need to think globally and act locally.
You can download a template that will guide you through planning an awareness campaign. (PDF 43.3 KB)
Think Globally, Act Locally
In the past, Cisco established overall campaigns, adjusted by region in terms of delivery, or had campaigns that were designed from the outset for specific regions. For example, the Cisco social engineering awareness campaign was targeted principally to a specific geographic region where the majority of social engineering attacks were occurring. Cisco was aware of the threat globally, but started with the campaign in the one region, and introduced it globally in a second phase.
Cisco discovered, over time, that different regions respond well to different deliverables. For example, in India, employees said that they like posters they can display in their office. In the United States, posters are often considered dated, and digital signage is the latest medium. In the Asia Pacific region and in Russia, employees said they like to receive certificates for trainings they have completed, whereas in the United States, people rarely print and display a training certificate. Russian employees also explained that they prefer specific, detailed instructions on what is permitted and not.
To help Cisco employees think globally, and act locally, a global team of local leads was established who could either customize or design deliverables for their region, according to their needs.
It is important to have a security brand that distinguishes your security messaging. It creates a consistent look and feel worldwide, so that when people see one of your messages, they know that it is important, clear, and useful.
Distinctive branding makes your communications look professional, emphasizes that your campaign is backed by your organization's executives, and allows you to adjust your campaigns regionally but maintain the overall message, which is about the vital importance of securing your company. If you are going to adjust your campaigns regionally, then you need to be vigilant and make sure that all deliverables have a consistent look and feel, and use consistent messaging and branding across regions. It helps to create templates that are available in a single repository, along with clear branding and messaging guidelines.
Cisco planned the following deliverables:
- An Intranet site that served as a single, central repository of security information, with links to report an incident, view breaking news, and access training materials and relevant background information
- Short instructional and motivational flash videos
- Tailgating (Video - 0:34 min)
- Public Awareness (Video - 0:47 min)
- Data Classification (Video - 0:43 min)
- Award-winning general security education videos (If you would like to view these, please contact us, either by WebEx or in person. For copyright reasons, a Cisco employee must be present when these videos are viewed.
- Annual employee awareness trainings
- Executive communications on security, through video on demand
- Regional awareness events with speakers
- Global virtual security event with online live streaming video and audio
- Internal announcements and articles on the corporate intranet
- New hire orientations
Your security education campaign needs to be ongoing to keep your employees thinking about security. It also needs to address the primary segments of your organization, and all the different regions you are in.
Managers need to push the security messages to their teams. If executives are behind the security education campaign, it becomes more effective. But while you are getting executive support, continue with an overall employee campaign.
Your security education program needs to reflect your company's culture. For example, Cisco has a culture in which employees are encouraged to take ownership on a voluntary basis and promote security throughout their organizations. Some of the Cisco programs are mandatory and some are not. Since we wanted to encourage all employees at every level to know that they are responsible for security, most of our security education program was built on an opt-in basis. We designed the program to be motivational and inspiring, to make taking responsibility for security intrinsically rewarding.
At Cisco, we proactively planned 3-4 major awareness campaigns per year, and we designated resources for reactive, or even emergency, communications as issues came up. We use a phased approach, introducing our campaigns by region, with a global team of Cisco volunteers managing local introduction of specific regional deliverables.
Here are some useful things to remember when you are planning how to get your message out:
- Identify the right communications vehicles. Look for opportunities to tell the security story. Include your message at special events, such as management summits and global sales meetings, and use newsletters that are already in circulation. Do not be afraid to reuse initiatives that have worked in the past.
- Consider joint statements. If another compliance team is already planning to send a newsletter or article, join your message with theirs if it makes sense and reaches your audience. Often, it is hard to get your message heard above the emails, meetings, and phone calls of an organization.
- Use credible sources: When communicating to large audiences, feature people who are recognized and trusted and use respected communications vehicles.
- Keep your messages short and simple: Short, clear messages are easier to retain. Keep in mind that message retention comes from a continuous, sustaining program, so repetition is important.
- Use rewards and recognition: Develop a system that rewards individuals who have made extra effort to affect change. Include monetary incentives and companywide recognition.
- Make training available at every level and encourage participation. Track compliance and foster competition between organizations (with management support) or within organizations to improve completion rates. When everyone is on board, the results can be impressive.
A sense of community is critical for receiving employee support and establishing a new culture of security. Building a sense of community in today's distributed workforces can be difficult. Some useful methods are:
- Creating a security advocates program
- Running global virtual events
- Using social media
Cisco Security LEAD Program
Cisco recruited a special team of volunteer security advocates (employees and Cisco-badged contractors) to create a culture of awareness and help communicate security risks. These individuals volunteer to publicize security education and directly influence behavior change by Leading, Educating, Advocating, and Demonstrating (LEAD).
LEAD personnel provide a security education point of contact for those around them, and communicate the importance of keeping Cisco highly secure. Some of the ways they can help are:
- Identifying and communicating security questions, issues, and concerns
- Participating in a quarterly review and brainstorming meeting
- Implementing programs and campaigns
- Submitting feedback and suggestions
When an employee becomes a LEAD, their manager receives a notification. The LEAD then receives a welcome package with a few thank-you gifts, which also lets everyone know they are part of the Security LEAD team. The LEAD kit includes:
- An official LEAD fleece jacket
- An aluminum LEAD water bottle
- A cubicle flag, indentifying the LEAD as a security resource
- Electronic badge to add to his or her Cisco Directory listing
Global Security Education Event
At Cisco, we created a global event to increase awareness of security programs, services, and best practices. Since our workforce is global and distributed, with many employees working remotely, we ran this as a virtual event, as well as a live, in-person event. To create the global event, the security education team collaborated with different security business units, to help ensure that the information would be relevant to all verticals and positions within the company. For example:
- Human Resources provided information on data privacy, along with training for managers and HR representatives.
- A webinar specific for engineers, about designing products that resist unwanted network access or malicious hacker attacks, was offered, along with a video on demand (VOD) for later viewing.
- A streamed video allowed employees to listen live while the Chief Security Officer answered questions from the San Jose campus. This was also available as a VOD afterwards. We asked security experts to prepare questions in order to seed the discussion.
The event took place during lunchtime in Cisco cafeterias throughout the world. A representative from a security organization answered questions and directed employees to the virtual event for continuous participation. Topics included:
- Public awareness
- Data classification markings
- Social networking
- Laptop security
- Privacy team
- Reporting incidents
Giveaways were offered as an incentive for people to attend the event, including:
- Travel mouse
- Drawing for FLIP camera, one per theater
- Fortune cookies with a Security website link and security messages
Using Social Media to Create Community
It can be difficult to foster a sense of community in a distributed global workforce. Social media can help with this. At Cisco, we use discussion forums, blogs, and wikis. However, if you are going to use these, you need to be aware of certain important issues:
- You need to provide a discussion forum or a wiki with content, often for several months. People need something to respond to. Once there is an increase in activity, the community will begin to generate its own content, but you need to help it along.
- It is important to monitor the content. Sometimes, individual pieces of information that are not confidential can build a picture that reveals too much when the pieces are aggregated. Sometimes, a person will post an item without realizing the implications.
At Cisco, we post all our campaigns, with source files, toolkits, and background information, in a central repository for people to reuse. However, we often find that people will not obtain information by themselves. We need to push it to them in the form of email notifications with direct links.
How do you know if you are making a difference? It is difficult to measure behavioral change. An increase in incidents being reported can result from an increase in incidents or from an increase in awareness of incidents. Since behavior change doesn't happen quickly, you need a long-term approach.
At Cisco, we measure:
- How many people attend events?
- How many click through to an online article?
- How many people respond to online quizzes? (People enjoy quizzes because they are interactive and fun, and a little competitive. At Cisco, as soon as you answer the quiz, you receive the correct answer and a bit more information, resulting in instant gratification.)
- Number of members of the Security LEAD program
- Number of participants in wiki or blog discussions
- Number of requests for more information.
- Reduction in risky behaviors or security incidents that were being addressed by your awareness program. For example, stolen laptops or security incidents.
Cisco's Latest Global Security Event
Cisco's second annual global security event focused on the topic of staying safe online. As well as the usual seminars on secure coding and IT-based security, we recruited speakers on topics that people are less informed about, and often more concerned with, such as how to keep our kids safe online and how to avoid identity theft in a world where so many of our connections happen through unsecured social networking sites.
To accommodate our global, distributed workforce, including many employees that work remotely, we ran this as both a virtual event and a live, in-person event. We invited guest speakers, industry experts, and in-house thought leaders. Since we wanted to include our non-U.S.-based workforce, we scheduled the webinars for international audiences, repeating many of them at different times, so that viewers in different regions could attend. All of the sessions were recorded and posted on our internal website for later viewing.
The live part of the event took place during lunchtime in Cisco cafeterias throughout the world. Employees were invited to drop into live sessions with in-house security leaders, discussing questions from the audience. The main live session featured Cisco Chief Security Officer John Stewart. It was held at our San Jose campus and broadcast live worldwide. Reservations and ticketing were handled via a third-party online event management website. We asked our security experts to prepare questions in order to seed the discussions, which became lively conversations.
We also created a website for the security event, which went live at midnight on the day before. It contained links to the keynote broadcast, all the webinars and videos, and other useful material.
Some examples from the event include:
- A live keynote by an industry expert on cybercrime, simultaneously broadcast live over Cisco TV for global viewing.
- An engineer-focused webinar about designing products that resist unwanted network access or hacker attacks.
- Webinars about staying safe online-including how to cross the digital generation gap to be able to imagine the online world our kids operate in every day.
- An online quiz asking questions about security issues and how to identify and respond to risks, with a "security score" at the end.
Click here to see some of the content from our most recent Global Security Event. (once on the content form Cisco's global security event: