If you run a security awareness program for a large organization with multiple divisions, regions or branches, you know how tough it can be to tailor your efforts to different user groups.
Consider this scenario: your security team has been running a security awareness program for four years, serving 6,000 users across five countries. The program is mature and keeps people engaged with monthly role-based training and quarterly security awareness events.
Now, the business is buying up a smaller company that will bring in 2,000 new employees across new two countries. The acquired company has been running security awareness training for a year. But that program was a bare-bones effort designed to meet basic compliance mandates. It’s not clear which users are most vulnerable or where they need the most help.help.
Once they become part of a new division in your organization, these new users will need different, more basic courses than your existing users. Likewise, the incoming, less-experienced security admins will need your team’s support to uplevel their approach. On top of that, the new users face threats and compliance requirements unique to their home countries.
How do you run a security awareness program that meets all these needs? That's where Multitenant Administration comes in. It's a powerful new feature we’ve added to Proofpoint Security Awareness. With Multitenant Administration, you can delegate admin tasks to local teams while keeping topline control of the broader program.
How it works: simplified strategic delegation
Multitenant Administration helps large, distributed organizations stay flexible and strategic in how they run their programs. Company-level security leaders can oversee the program as a whole and make major groupwide decisions. At the same time, the security admins for each subgroup, or “tenant,” can tailor the program for their local users and needs.
Tenants are defined by logical groupings. They could include region, business unit, department, employee role, program maturity or even language. A worldwide hospitality chain, for instance, might designate each hotel brand as a tenant. A government department might set tenancies for each agency it oversees.
The icing on the cake? The setup process for Multitenant Administration is simple and streamlined. Configuration is automated. And you can roll out features a little at a time or all at once.
Figure 1. Proofpoint multitenant settings.
Decide globally, tailor locally
Globally, company administrators have full visibility, centralized reporting and accountability. In our examples, they oversee that entire hotel chain or all the local government agencies. They can see progress—and problems—from a high level. And they can roll out organization-wide campaigns or adjust the base curriculum. Some security leaders prefer to work on a global level for their annual compliance training and let the tenant admins run everything else.
In other words, company admins still make the top-level decisions. They might mandate phishing simulations once per quarter to every user. Or they might create a rule to assign more targeted training after three simulation failures. .
From there, local tenant admins can augment the program for their end users. They can roll out campaigns based on defined learning goals and customize the curriculum for individual user risk levels or knowledge gaps. For a highly targeted business unit, they might add more phishing simulations for a monthly cadence. Or if a user has high-level network privileges, the tenant admin might assign more training after just two failed phishing simulations instead of three. Being close to their users and environment lets the admins choose content and topics that fit their regional needs, preferences, language and team culture.
Three use cases: business unit, maturity, region
Multitenant Administration offers visibility and responsibility that’s uniquely right for each environment. Many of our customers have already applied multi-tenancy across a broad set of use cases.
Let’s look at three use cases:
-
By business unit: Defining tenants by business unit is a common use case. We have a customer with 35,000 users in all. The company runs compliance training at the company level to make sure the business is meeting all compliance mandates. But it also wants to educate 500 users in a strategic business unit differently from other users. Using Multi-Tenant Administration, it can configure a tenancy for each business unit so that they can further educate higher-risk users.
-
By program maturity: Another use case is by program maturity (as with our opening scenario). For instance, we work with an organization that has set up 70 tenants of widely varying sizes.
Five tenant admins are mature enough to run their own program because they manage the larger entities. Another half-dozen administrators of smaller tenants have asked for some autonomy.
The smaller aren’t yet familiar enough with industry regulations and incentives, so the top-level cybersecurity team will oversee those programs for now. But by setting the tenant admins up as a tenant, the parent company can offer a strategic middle ground. The parent company decides on a global campaign plan with standard training that must be completed by all users across the organization over a given timeframe. But tenant admins can also choose to provide more content and expand the training schedule. This setup preserves some autonomy and lets the tenant admins layer in localization.lets the tenant admins layer in localization.
-
By region: We often see multi-tenancy by region. This can be as simple as configuring tenants at a country level. It can also be multi-hierarchical, with nested levels of administrative oversight. For instance, the security team might assign a separate tenant admin for their tenants in France, Italy, Germany and Spain. Each tenant admin then makes localized program decisions such as the default language, preferred content style and relevant topics.
These four country-level tenants roll up to a regional tenant admin who oversees the EMEA (Europe, Middle East and Africa) region as a whole. The EMEA tenant, in turn, rolls up into the global business. This nested structure provides better visibility for metrics such as program effectiveness on a broader scale. (We don’t limit how many tenant levels you can assign.)
These four country-level tenants roll up to a regional tenant admin who oversees the EMEA (Europe, Middle East and Africa) region as a whole. The EMEA tenant, in turn, rolls up into the global business. This nested structure provides better visibility for metrics such as program effectiveness on a broader scale. (We don’t limit how many tenant levels you can assign.)
Start streamlining with Multitenant Administration
Multitenant Administration is a game-changing workflow. It can help you manage your security awareness program more effectively. You can set it up for your unique use cases and choose how to roll out the feature.
These features are especially valuable for large, complex organizations with a global or distributed footprint. With Multitenant Administration, you can provide tailored programs that meet the needs of different groups of users while ensuring they align with your overall security strategy.
To learn more about how to build a high-impact security awareness program and change user behavior for the better, check out our e-book. Or contact us for a free trial of our security awareness solution.