In 2019, the University’s security awareness training was completely transformed with the introduction of a new training module.
Since then, the Information Security Office within ITS has made significant progress in expanding the program to groups across campus. So far, all members of the IT Executive Council (ITEC) have been enrolled plus the School of Medicine, the College of Arts and Sciences and ITS, which was first used as a platform to test the initiative.
At the beginning of this effort, University compliance was 4%, but compliance has now grown to 51%, even as some campus groups wait to enroll. Additionally, by pacing the strategic rollout, the Information Security Office has been able to lessen any impact on the Service Desk.
Partnering with ITS Enterprise Applications also was key for the Information Security Office’s successful transition to the new training module. Enterprise Applications staffers enabled supervisors to view training completions and passing scores within ConnectCarolina.
Communication is key
Dennis Schmidt, Assistant Vice Chancellor and Chief Information Security Officer, has worked with Security Operations and Incident Handling team lead Charlie Mewshaw to communicate directly with University IT leaders about the security awareness training. This has helped encourage compliance. Explaining the trainings to the IT leaders has given them time to relay the importance of the program to their respective departments, which helps ensure that messages requesting completion of the training module are taken seriously.
Using multiple channels works
Although the training module has been a core piece of this transition, the Information Security Office utilizes other outreach channels to communicate security awareness has been essential in improving University-wide compliance.
The Data@Rest podcast series, hosted by Mewshaw and Network Security Team Lead Michael Williams, has been one popular platform for this effort. Mewshaw and Schmidt also host phishing presentations for campus departments and provide real-life examples. Phishing is currently one of the biggest user threats.
Information Security’s SecurityCon and other in-person campus events have been well-received, and groups often request repeat sessions to stay updated. Campus groups have also assisted with sharing information through events and social media. (Of course, this was prior to COVID-19.)
By providing many types of interesting and educational options, Information Security hopes to connect on this topic with a variety of people with diverse learning styles.
Continuing to adapt
Information Security will continue to focus on this rollout and changes to security awareness training.
“We do plan on making it an annual cycle, where we revisit and make changes, once this is established,” Mewshaw said.
For now, the Information Security Office will continue to help individuals understand the information and address any complications. With the goals of increasing awareness of risky situations and helping people understand preventative actions, the team is focused on communicating information and resources.
The security awareness training, Schmidt said, has been a positive community initiative to protect the privacy of personal and University data. “It’s also so more people start to see Security as partners and friends,” he said.