Security Awareness Series: Part Five – Map it Out

Now that we have some topics and some goals in mind we can start mapping out a time line for the first 12 months or so of our awareness program.

You’ll need a calendar, preferably one which shows the entire year on one page, or knock up a spreadsheet to show the entire year on one sheet.  You’ll reference this sheet a lot during the year so it’s a good idea to hang it on the wall. Things will change. Don’t get too precious about scribbling on it. If you can spare a whiteboard for this that’s great, but my preference is to be able to see each day so it would have to be a fairly large whiteboard.

Although I’ve asked you to come up with a bunch of topics, I haven’t (in this series at least) explained why you need so many.  You probably didn’t have too much trouble coming up with a substantial list, so you’ve no doubt figured out that you’re going to have to run quite a number of ‘events’ to cover them all.  You could of course go down the old fashioned route of forcing everyone through a half or even full day course once per year, but oh think of the lost productivity! Plus, unless it’s something quite special, most of the participants will forget 80% of what they saw or heard within a couple of days, especially with so many topics.

A much more educationally sound approach is to space your topics out. One a month is a convenient arbitrary number. You could even do one every couple of months if you are short of resource. The key here is repetition. Constant reminders of  both the requirement for security and the fact that your team is making it easy to comply.

That second comment may come as a shock to some who think the job of security is to lock everything down as tight as possible.  It’s not. Security is there to serve the business. To enable the organisation to perform whatever function it is designed to as best it can. Confidentiality, integrity and availability are just means to an end, not the end itself.  So what you need to do is constantly remind your colleagues outside security that you are there to serve, providing professional and timely service. The goal is to win them over so they feel more inclined to ‘participate’ in your ‘culture of security’ (see the previous post for more on that term).  Think like a marketing manager, not a university lecturer. The lecture paradigm is dead. Need convincing then watch this video now.

Assuming you did watch it, now I’m going to stretch you even further and ask that you replace all those young people in the video with your colleagues. The millennials, gen Y, whatever you want to call them are not just young people anymore.  Facebookers, Tweeters, vloggers come from all generations. The digital culture is here, get with the times.

Right, so now you’re a marketer not a lecturer. What does that mean for your awareness program? It means that the program just became a series of campaigns. Like ad campaigns. And now that you’re in advertising all those tricks and rules apply; repetition, audience metrics, repetition, messaging, repetition, brand placement and repetition.

Repetition however doesn’t mean telling people every month to have strong passwords (although repeating campaigns does have obvious value). Rather it means repetition of security as a service. “We are Information Security, we’re here to help, and by the way please encrypt your USB sticks as per this policy because it [insert reason relevant to organisation purpose and culture here (see part three)]’’.

So you’ve got this spreadsheet/calendar in front of you. To populate it look for:

• Regular corporate newsletters
• Upcoming corporate events
• Key dates in the corporate calendar
• External campaigns (eg privacy awareness week, Cybersecurity month)
• Public holidays
• Etc…

What you are doing is tying your messages to existing communications or events in peoples lives. In the first instance utilising corporate comms means not having to come up with your own delivery vehicle from scratch. It also has the benefit of forcing a schedule on you which can help motivate (or remind) you to get working on the next campaign. And by relating your campaign to a public event you can inject relevance into your campaigns so that they are not messages for messages sake. For example a campaign around Christmas time can focus on scams or dodgy email greeting cards, and even give advice on how staff can do some maintenance work on their home computers over the holiday period such as backups or full system scans.

So with your topics in place, your comms dates lined up and the whole plan on your cubicle wall in front of you, you’re ready to tackle the next task – making your first poster.

The next post will be an overview of how you can use some free tools to create a professional looking poster.

Advertisement