The blueprint provides a set of self-assessment questions based on the level of security risk personnel within the organization face. Once the questionnaire is completed, the organization receives an educational program that matches its risk level.
The self-assessment questionnaire is broken down into five functional groups of employees – general staff, development staff, IT and operations staff, executives and management, and security staff – and defines three program maturity levels for each group. “These are the key groups that really need specific and separate approaches to training”, said Rob Cheyne, chief executive at Safelight.
“The blueprint provides a starting point so companies can see where the gaps are in their organizational training program right now”, Cheyne told Infosecurity.
An organization’s risk profile maps to a blueprint that recommends a specific level of education for each of the five groups. At each level, the blueprint offers guidance for developing eight components of a well-designed security education program. These components include integration of training into hiring and on-boarding processes, as well as the introduction of communications programs that support training content.
The first step is to assess the overall risk level of a company and then break that down into specific risk levels for staff members, Cheyne said. Once the company answers the risk questions, it gets a security grid. “For each staff group, the grid will tell them what level of training we would recommend”, he added.
“A lot of companies put out an edict, ‘Thou shalt be secure.’ But what they miss is measuring staff on whether they are producing things that need to be secure”, he said.
Safelight plans to offer the blueprint for free to companies at the upcoming RSA Conference in San Francisco from Feb. 14–18.