Ron Gibbs

Security Awareness

My first career was teaching high school and college science. The most valuable aspect of that experience was understanding that people had different learning modalities, or was to learn. A comprehensive and successful program would need to incorporate many different learning styles in interesting ways in order to be successful. Several of the methods I developed and implemented that I found successful were:

 

  • Live trainings for new hires. I would develop these trainings around breaches I heard about in the news and the latest threats. I would then engage my audience to create discussions around how these threats would affect their roles and what they could do to mitigate them. Many times, my live trainings were highlighted as the most intersting and rewarding portion of their onboarding experience.
  • Cybersecurity forums and fireside chats. October is a great month to kick off any new security awareness reachout with the national security awareness month. I have organized company-wide seminars with guest speakers with speakers coming from the FBI, or CISCO's threat center. I have had our CEO chat, and have also made it more personal by getting speakers for different agencies to discuss how they approach security and what their unique concerns may be. The more interesting the speakers and topics, the more audience participation I can get and the more it is retained by the employees.
  • Security Champions. I have found that in different departments and agencies, there are usually people who have a hightened interest in information security. I work with these people directly to give them additional insight into the cybersecurity world and to understand their department/agency needs. I then have them work directly with their peers in supporting the cybersecurity initiatives and good practices. This has worked out extremely well in that the security champions are accepted much more readily within their organization as their peers have a desire to support their own folks.
  • Cybersecurity Stars. I built a program where people are recognized for contributing to the overall cybersecurity presence. This can be from reporting a possible security incident, phishing email, etc. They are then recognized in our newsletter as well as highlighted during our cybersecurity forums.

  • Competitions. Healthy competitions with bragging rights have always worked well with our program. The competitions can be as simple as a completion rate for a security awareness training, or obtaining a low 'click rate' in a phishing campaign. 

  • Working with HR is a key component to managing a successful program. I try as much as possible to create an interesting, positive experience for the employees, but ultimately it is the employees responsibility to act in a secure manner, complete the trainings, and respond accordingly. I built a tiered model of intervention with HR ranging from additional trainings and discussions with the employee up to the possibility of termination. I have not yet been and hope not to be in a position to terminate an employee for endangering the company through activities not conducive to good security practices, but it is something that must be on the table to indicate the seriousness of maintaining a solid cybersecurity environment.

 

Certifications

  • Certified Information Security Manager (CISM) #1841436

  • Certified Incident Handling Engineer (CIHE) #14282-162-075-8681

  • ISO 27001 Lead Auditor (TPECS)

  • Certified Project Manager (CPM)

  • Project Manager Professional (PMP)