???Redefining Security Awareness: A Journey Towards a Security-First Culture??

In the realm of cybersecurity, the term "security awareness" often conjures visions of mundane emails during Cybersecurity Month or obligatory video tutorials for all company staff. While these traditional approaches have their place, they often fall short of cultivating a genuine security-first culture. True transformation involves changing the very mindset of individuals and, in turn, reshaping the culture of security. It's about making people think security in their daily actions. How do you achieve this shift? The answer lies in making the learning experience engaging, interactive, and, most importantly, effective.

?

?? Reaching Across Departments

One defining security awareness journey I recently led stands out because it managed to transcend the bounds of technology teams. It attracted participants from a diverse array of departments: not just engineering but also Project Management Office, Product Management, Business Analysts, Customer Support, Sales, Marketing, and even Accounting. Yes, you read that correctly, even Accounting! It's this last inclusion that took me by surprise and, in my view, marks our greatest victory. When a program entices non-technical departments like Accounting and HR, it indicates a substantial culture shift in favor of information security.

?

?? A Digital Evolution

What made this program unique was its comprehensive digital execution, conducted entirely in the online realm, from meetings to messaging. This approach not only ensured accessibility for all but also provided the flexibility for participation across various timezones and geographical locations

?

?? The CTF Implementation Journey

1. First, we created a Capture The Flag (CTF) challenge using open-source frameworks and hosted it on AWS. Our product security team collaborated with our internal Network/Corporate security team to ensure these servers were only accessible through a VPN, while implementing thorough logging and monitoring.?
2. The CTF was cleverly divided into separate, standalone weighted challenges.
3. Prizes awaited the top three scorers, with consolation prizes of equal value for the next seven participants.
4. Digital flyers were designed and distributed across the organization to build awareness about the program. As the D-day approached, our team's frequency of sending these flyers increased. Each team member took turns distributing them.
5. We partnered with leaders from various departments and shared these flyers with their respective teams and the entire company.
6. The event spanned three days. On the opening day, we invited organizational leaders to deliver keynote speeches.
7. The rules of the event were explicitly detailed on an online page, accessible to all participants.
8. We secured approvals and support from various department leaders, not just for participation but also for motivating their teams.
9. We strategically scheduled the event to avoid critical activities that might require their full attention. We had the event announced to the org way in advance to ensure prospective participants could plan for it.
10. A dedicated chat group was established for CTF participants, ensuring effective communication and issue resolution.
11. On the D-Day the CTF was flagged off by our engineering leader, with keynotes from other organizational leaders followed by our team members explaining the rules of participation.
12. Our team members periodically provided hints to keep participants engaged.
13. The CTF's conclusion was marked by prize announcements and keynote speeches on security and leadership. A raffle draw added an exciting element. Participants earned digital tickets, and those who completed mandatory security training received extra tickets. To encourage attendance at the closing ceremony, we offered raffle tickets to anyone who joined the meeting. However, claiming a prize required being present at the meeting's closure, and a few missed out on winning due to absence.
14. Lastly, we captured a screenshot of all participants who were present and willing to turn on their cameras.

?? An Unexpected Success

The experience was nothing short of exhilarating, with participants echoing their newfound knowledge and enjoyment. Most importantly, they shared how it provided them with fresh insights into security.

Our original aim was to engage primarily with our engineering and technical teams. However, we were astounded by the widespread response. People from almost every corner of the organization actively participated.

?

?? Team Synergy and Skills Development

The positive impact of this exercise extended beyond our colleagues. Our team became closely knit, working together on tasks that required skills they didn't primarily possess. Marketing and promotions were uncharted territory for many. However, by stepping out of their comfort zones, they explored different areas in support of our greater mission to equip the entire company with relevant security knowledge. This opportunity to influence a culture change across the organization was supremely motivating. Team members undertook challenging tasks such as creating digital flyers, writing content, setting up servers, and much more, tasks they weren't initially proficient in. This exposure to a variety of skills deepened their commitment to delivering high-quality work. I'm proud to say that many of my team members are thriving in the industry today and continue to inspire me.

Here's to a future where security awareness programs go beyond monotone emails and mandatory videos, empowering individuals to champion cybersecurity through meaningful engagement and active learning. In this digital age, it's high time to redefine security awareness. ??