Building a Culture of Digital Self-Defense

  • -

Building a Culture of Digital Self-Defense

Category:EDUCAUSE,Higher Education,Information Security,Infosec Communicator,Lessons Learned,Social Networking Tags : 

Note: This article was previously published on September 20, 2016 in the EDUCAUSE Review Security Matters Blog

One of the biggest challenges in information security is raising the awareness of our communities so that they recognize threats and understand how to defend themselves. The difficulty of that challenge is exacerbated with up to 30 percent turnover of students, faculty, and staff yearly. It’s a multiyear process, but the key is to stick with it and not be afraid to try new ways of raising awareness and enrolling your communities so that they become part of your security team. I’ve provided a list of key components to building that security culture below. I’ve also provided some examples of our work at the Rochester Institute of Technology (RIT).

dsdmagnetnoqrcodeThink Strategically

You can’t change or create a culture overnight, and gains may seem almost imperceptible at times. Recognize that you need to think of security awareness as a key component of your information security strategy. (Yes, you need a security awareness strategic plan.) A strategy enables you to identify long-term goals. Security is often reactive. For example, we might respond to phishing attempts by warning our communities as the attempts occur, rather than employing a phishing simulation program1 so that they’ll recognize phishes on their own. To create (and harden) a security-aware culture, you must be proactive. It’s not always possible to get ahead of specific threats, but we can train our communities to recognize many of them.

Have a Plan

Thinking strategically requires a plan. A plan enables you to define how you’ll reach the goals defined in your strategic plan. What communication vehicles are already available? What needs to be developed? Where do your audiences (you have at least three: faculty, staff, and students) get their information? Are there community or departmental leaders they follow? What topics should you cover and when? (EDUCAUSE provides a calendar of topics and member-created content that you can leverage.)

Brand Your Security Awareness Efforts

RIT’s security awareness efforts are branded under Digital Self-Defense. A brand helps make your security awareness efforts visible and memorable. Almost every communication or event around security awareness at RIT bears our “DSD guy” (seen above). After more than a decade, most constituents recognize him. (Your university or college might have requirements around branding that may or may not make security awareness branding possible. However, you can still use a common layout and design in your communications.)

Leverage Existing Opportunities

What existing opportunities are available for improving security awareness? Are there orientation events for students, faculty, or staff? Are there benefits or wellness fairs in which you can participate? Have you contacted departments to schedule security awareness discussions? Have you created an ongoing security awareness class, either in person or online? Have you put posters on your buses? Given away swag with security awareness messaging at orientations? Look around and see what existing opportunities you can leverage.

erob1699image2

Be All Over Social Media

Where do your constituents get their information? Your university or college may have official news outlets or communication mechanisms. Does everyone follow them? Do students even read e-mail anymore? Who’s using Facebook? Twitter? Instagram? Pinterest? Snapchat? The rapidly evolving social media landscape offers opportunities, as well as challenges. Go where your audiences are. They’re unlikely to come to you. (As I write this blog post, we’re in the midst of our annual social media “like” campaign and expect to surpass 10,000 followers in our social media outlets.)

Identify and Leverage New Opportunities

Has your campus become a hotbed for Pokémon™ GO!? Have you thought of how you might leverage Poke Stops where students congregate? Maybe set up a security awareness table. Hang posters at Poke Stops inside buildings. What about Snapchat? Snapchat filters are really popular. Did you know that Snapchat allows you to create custom geofilters? Why not create some security awareness-oriented filters and offer them at high-traffic times and locations?

Hire Students with the Right Skill Sets and Mindsets

One of the strengths of our security awareness program at RIT is that we hire technology-savvy students with strong communication skills. After a while, you’ll probably find that well of inspiration you draw from has started to run dry. Student employees are a great source of innovative ideas and more importantly, they’re students. They understand how students communicate and how best to get their attention. Give them the freedom to be creative.

Enroll Your Community

It’s not really a secret, but we know as security professionals and IT organizations that we cannot secure our campuses without partnering with our user base. Have you thought about how you might enroll your users in your efforts? In fall 2015, we began our Digital Self-Defense Team program. The purpose of the program was twofold: we wanted to develop a sense of shared responsibility around information security, and we also wanted to begin measuring our successes with a survey. With small incentives for taking the survey, we had over 600 survey participants from a faculty/staff population of about 3,000. Almost half of the survey participants signed on to the Digital Self-Defense Team. That’s a growing population of security advocates on campus.

Volunteer and Network

I’ve been a member of the Higher Education Information Security Council (HEISC) Awareness and Training Working Group for almost 10 years. The innovative ideas and helpfulness of the group to new members are without parallel. Participation in the working group ensures a steady flow of new ideas and solutions to problems faced by all of us. Each of us has ideas to share, and the working group has developed a number of security awareness resources available today.2 I invite you to join us.

Notes

  1. Learn more about phishing simulation programs and read these 10 key points about implementing a campaign.
  2. The HEISC Information Security Guide: Effective Practices and Solutions for Higher Education includes several resources developed by the Awareness and Training Working Group: a quick start guide, detailed instruction manual, cybersecurity awareness resource library, and National Cyber Security Awareness Month resource kit.

  • -

Recruiting Volunteers

Category:Leadchange,Leadership,Lessons Learned,STC,STC Rochester Tags : 

Recruiting Volunteers

Volunteers are the life blood of non-profit organizations. However, recruiting volunteers may be challenging. I had the privilege of presenting with Alice Brzovic, President of the San Diego Chapter of the Society for Technical Communication on a leadership webinar on July 22, 2016. Alice had a number of great ideas around volunteer recruitment, especially in advertising for volunteers. It may seem obvious, but it’s really important that prospects know about the opportunities and that their help is needed. Alice suggested placing a Help Wanted sign on community websites, creating a company page on LinkedIn and posting volunteer opportunities there, and participating in volunteermatch.org. These are great ideas!

Make the Appeal Personal

Many people will ignore a general call for volunteers, assuming that someone else will step up. A personal appeal may be more successful. (Knowing what the prospect is passionate about and making the right volunteer match is ideal.)

Cast a Clear Vision

I believe it is critical for an organization and its leadership to have and cast a clear vision of why the organization exists and what its trying to accomplish. Prospective volunteers want to know what they’re contributing to. An effective leader will share his or her vision and passion and can inspire volunteers.

Phone Script

During the webinar, one of the attendees asked about phone scripts for recruiting volunteers. I’ve created the script below. Please adapt it for your own use, for calls or emails. (Please substitute specific information for the capitalized words.)

Hi PROSPECT NAME,
My name is NAME and I’m the OFFICER OR POSITION for ORGANIZATION. I’d like to talk with you briefly about an opportunity for you to gain leadership skills that can advance your career by helping with OPPORTUNITY.

Here’s what we need your help with!
DESCRIBE OPPORTUNITY. We’re asking for a commitment that won’t exceed NUMBER of hours per TIME PERIOD.

MENTOR NAME will work with you to make sure your questions are answered and to help you be successful. (IF YOU KNOW THE PROSPECT, ADD We believe this opportunity is a good fit for you because REASONS.)

Here’s what you’ll get in return:
1. The opportunity to gain leadership skills
2. An opportunity to build your professional network
3. An opportunity to positively impact fellow practitioners
4. Helping COMMUNITY serve local practitioners
5. Fun
6. Recognition for your participation
7. ADD SPECIFIC BENEFITS

The COMMUNITY serves the PROFESSION community in the greater GEOGRAPHIC OR PRACTICE area. We’re excited about ORGANIZATION and PROFESSION and we’re working on these SPECIFIC FOCUS AREAS this year.

Won’t you come alongside us and help with OPPORTUNITY?

PROVIDE NEXT STEPS

Thank you for your time and willingness to serve.

NAME

Let me know if you find this script helpful.

Alice Brzovic, Tips for Recruiting New Volunteers (pdf) (Slideshare.net)
Ben Woelk, Get On Board: Entraining Volunteers (pdf) (Slideshare.net)


  • -

What Value Does STC Provide to Its Communities?

Category:Infosec Communicator,Leadchange,Leadership,STC,STC Rochester,techcomm Tags : 

This post is a continuation of the ongoing discussion about the Society for Technical Communication to which I’ve been contributing on Larry Kunz’s excellent Leading Technical Communication blog (https://larrykunz.wordpress.com). Larry recently posted An Agile STC? Much of the discussion has been around what value STC provides to its communities. As I took part in the conversation, I’ve realized that this is a subject I should be writing about as well. Here’s more of the discussion. (Note that I’m actively involved in STC and a former Director.)

I don’t have up-to-date numbers, but roughly 50% of STC members are currently in geographic communities/chapters. The other 50% are not involved locally. That means there are two different membership experiences. When I stepped into the presidency of STC Rochester in 2010, we were very insular and had no information about what was happening at the society level. One of my goals was to reestablish that connection. I blogged extensively about determining our local value proposition at that time (benwoelk.com), primarily about the local level, and we’ve worked hard (and successfully) to provide value to the community. I also wrote about the value of volunteering. (https://benwoelk.com/why-i-value-stc-rochester/). However, I didn’t gain a full picture of what STC itself provides until I had the opportunity to serve at the Society level.

In terms of tangible benefits, STC provides a value calculator (https://www.stc.org/membership/join-or-renew-now/1408-value-calculator).

The tangible benefits are measurable. For me, the primary value is in the intangibles–the things not displayed by the calculator. I’ve always argued that what you gain from an organization can often be directly correlated with what you put into it. I have had so many leadership growth opportunities because I chose to be involved and step forward (and even create new initiatives such as the CAC Outreach Team to directly support community leaders) that the value to me personally has been enormous. Coupled with the professional network and friendships I’ve established, the cost to me has been minimal compared to what I’ve gained.

My experience, both at the local level and the international level, has absolutely transformed me professionally, in skill sets and in developing leadership skills. I attribute much of my growth in leadership skills to “iron sharpening iron”–working with other leaders towards shared goals, mentoring new and emerging leaders, developing a peer network of very smart practitioners who I can go to when I have questions or whom I can assist with answers from time to time.

My question has often been, what do people who are not actively involved as volunteers, at the local or international level, get from their membership?

Some may just want to support a professional organization that represents their profession.

Don’t forget that the STC works at the national and international levels to better the perception and value of techcomm. It was through efforts by STC that the Bureau of Labor Statistics now lists Technical Writer separately from other writers. At face value, that may not appear to have a direct impact on an individual member, but when HR departments benchmark salaries, that new category of Technical Writer makes a difference. STC has also supported Plain Language initiatives. (A good way to get a look at Society-level initiatives is by reviewing https://www.stc.org/images/stories/pdf/stc2015yearinreview3.pdf)

Others may value the access to continuing education opportunities.

When I was on the Board, we revised the strategy and mission of STC (https://www.stc.org/about-stc/the-society/mission-vision). We refocused on proving economic value (BLS info above, for example), but also on providing continuing education opportunities that equip our members to be successful in many fields. A techcomm mindset and the skills we develop around audience analysis and contextualization, much less actual technical skills, serves us well in multiple job roles.

  1. Here are a few of the things STC offers to support its communities:
    1. Through the Community Affairs Committee, direct support to chapters, including mentoring of chapter leaders,
    2. Specific webinars that are free to chapter/SIG members.
    3. Umbrella liability insurance for chapter events when a certificate of insurance is needed.
    4. Access to other community leaders.
    5. A number of webinars, both live and recorded, that address leadership-related subjects.
    6. A shared hosting platform that saves chapters the cost of having their own hosting.

For those of you who find value in STC, what have I missed? For those who don’t find value, what else would you like to see STC offer?


Categories