I have been hearing a lot of questions lately about how to create effective awareness programs inside your organization. To most companies, this is a very difficult task. Here are three strategies to make this easier for everyone and a whole lot more effective than what you are likely using now:
1) Ask your employees. Hold a few round table sessions with various randomly selected employees. Stress to them the importance of information security awareness and ask them what they think would be effective to reach into their peers. You might just be surprised by what they have to say. Incorporate some or all of their ideas into your program, of course, with appropriate metrics and monitoring. Don’t be afraid to embrace these new mechanisms, they are often hidden gems.
2) Think like marketing. Stop thinking of security awareness as a security function. Only the message/content is security, the rest is plain old marketing. Include your marketing department in the process. Actively engage them in the process of selling security to your employees. It makes a world of difference. Also, on this note, make sure you support their efforts to tune and refine the message and profile the employee audience. Those traditional marketing approaches may seem fuzzy to security folks, but they are what clearly separate the wheat from the seed in this undertaking.
3) Embrace new technologies and multi-media. Face it, if posters and such worked so well, the problem would be solved already. The fact of the matter is, you need multiple forms of contact with the employees to cause change and sell them security concepts. The more mixed media and content with common themes, the better. This simply works. Think about it, again from marketing terms – does Coke just use posters to sell sugar water? No, they use a variety of media and messages with a common theme to get people to drink their products. Do what works; don’t be afraid to move beyond posters and meetings to really make awareness work for you and your organization!
Good ideas there, Brent.
We incorporate the true multimedia and marketing techniques, and take ‘asking employees’ a step or two further by actively encouraging audience feedback and participation – e.g. case studies that outline a scenario and then pose questions for class discussion (we even provide model answers for the facilitators in case the discussion flags!) – and surveying them to assess their state of awareness and solicit further ideas.
One other Big Idea is to run your awareness program as a continuous rolling event rather than a sporadic once-in-a-blue-moon “sheep dip” for the oh-so-lucky employees. It’s better to drip-feed the information gradually and consistently to build the ‘awareness brand’, with perhaps a few special events to spice things up. A monthly change of topics helps to refresh and re-invigorate the program before it goes stale. No dog-eared two-year-old posters for us, thanks!