Q. I have a security awareness program in place but am unsure it's all it can be. In your experience, how did you determine which risks to build the program around? Which awareness initiatives provided the greatest value overall to the company? How did you test effectiveness? How did you get senior management's buy-in for those initiatives?
A. One of the best ways to answer these questions is to discuss them with senior management in each business segment of your company. Determining risks will require an examination of your company's business plan, identifying the most significant assets and deciding which issue or loss would do the most damage to your brand name. Gaining the participation of business segment managers will not only help you focus your limited resources in the most productive direction, but will assist in developing business focused partnerships to help ensure the long term success of your security program. Keep in mind the security awareness program is for the employees/associates and should address their perceived needs.
Let's use travel security as an example as a risk your company has determined as one that requires an awareness program because the company’s greatest asset is employees/associates and the greatest threat to employees/associates occurs while traveling on company business. The focus would be to develop an awareness program around travel security to help employees/associates to be aware of potential risks and to recommended proactive methodology. Addressing the basics is the best approach for a travel awareness program. This would obviously include awareness of surroundings, avoiding certain areas or events, and so on. However, even with the most well thought out awareness programs undesirable events can still occur. Your awareness program should include recommendations for post event actions to expedite recovery and minimize business disruption.
The issues to address in an awareness program are often beyond the control of your company. In our example, a medical emergency in a third-world country could result in business disruption for the company and significant stress for the employee's family. This may require coordination with or a request for assistance from other private entities or government organizations. Examining your awareness program to ensure proper recommendations for appropriate actions for an unforeseen event beyond your control will assist in management and employee acceptance - an initiative that provides the greatest overall value for the company and the employee.
Your travel security program will obviously be more detailed when focusing on senior management travel awareness. This may include, but not be limited to, pre-travel briefings, on site assistance, vetting outsourced assistance provided and other special resources needed.
Choosing the most effective method of communicating your awareness program will help ensure acceptance and positive results. This may be through an inter-company security website with links to external security resources (for example, OSAC and/or a contract security intelligence vendor). Posters, bulletin board notices and inter-company memorandums are also productive communications tools. An effective method of communicating your program and its benefits to the traveling employee is to hold employee awareness sessions.
An efficient approach to gain senior management approval is to receive a copy of the individual travel itinerary for every employee traveling outside the country on company business at the time the ticket is issued. Sending a well thought out security awareness program document and offering individual briefings to each of these travelers will certainly enhance your program, its acceptance and its effectiveness.
The best way to test effectiveness of your program is to communicate with those who have received and used the awareness program. Sometimes called an "after action review," interviewing employees who have traveled on company business may be helpful. Employees who have actually received the awareness program and utilized the information provided can be your best test of effectiveness and will assist in improving your product.
The above considerations are generic in nature and are not intended to be the panacea. Each company has its own culture and specific manner for processing and managing programs. These considerations are intended to be food for thought as you develop and grow your security awareness program.
Answer provided by Randy Uzzell, Security Executive Council Emeritus Faculty.