Professional Documents
Culture Documents
Dan Lohrmann
CSO
State of Michigan
A Quick Quiz . . .
Question 1: What do these headlines have in
common?
A Quick Quiz . . .
Question 2: What percent of breaches are the
result of user error?
25%
45%
59%
Minimal training
compliance focused
Minimal training designed to
meet only specific compliance or
audit requirements. There is no Promoting awareness and change
defined program or standardized Long-term sustainment
plan, messages are infrequent and A defined plan with identified roles and
inconsistent. Employees are responsibilities, sufficient budget and executive Processes are created and budget provided to
unaware of their role in protecting support. Awareness program includes both sustain long-term training life cycle, including
the organization’s information primary and reinforcement training that regular reviews and revisions or materials and
assets and how to prevent, focuses on topics with high impact. Content is messages. Program is continually updated to
recognize or report a security provided in an engaging and positive manner adapt to new technologies, threats and
incident. that encourages behavior change both at work business requirements. Employees are
and at home. encouraged to provide feedback and
suggestions.
Source – SANS: Securing the Human
Final Thoughts
• Your staff is your organization’s biggest asset
and it’s biggest vulnerability.