« Mitigating Risks During Mergers and Acquisitions | Main | Who Should Security Executives Report to? »

June 24, 2008

Comments

Gary Hinson

Those are good questions and answers, but I'd like to add something.

1. Which risks to cover?
Personally, I prefer to cover as many relevant topics as reasonably possible rather than investing loads of time on just a few. As to how to choose which risks to cover, there are loads of potential awareness topics: we work with about 30 (see www.noticebored.com/html/topics.html) while Rebecca Herold lists about 60 in her book "Managing an information security and privacy awareness and training program" (highly recommended!). From those lists or your own, pick out things that are topical and relevant in your organization, for example issues that have led to recent incidents. You don't necessarily need to plan the entire sequence of topics right now, just the current (being delivered) and next one (in preparation) would be enough. That way you can respond to incidents and issues as they arise, and adapt the program to reflect experience.

2. Best value initiatives?
A managed, rolling/continuous security awareness program is a good start but to make it exceptional, factor in the need to address different audiences within your organization - for example, staff, managers and IT professionals. They have different awareness needs, so cater to that with targeted materials written in a style that meets their needs. [There's more at the NoticeBored.com site.]

3. How to test effectiveness?
That's a can-o-worms! In conjunction with your management, you need to figure out the targets for the awareness program and then derive the corresponding metrics. Actually measuring stuff is likely to involve things such as employee surveys and tests but with some creative thinking, you can probably come up with other measures (e.g. page views on information security's intranet web site, showing how each awareness topic stimulates interest in the corresponding awareness materials, policies etc.).

4. How to get management buy-in?
Two suggestions here: first, start working on management's level of security awareness. Talk to managers about their security issues. Find out about things such as policy exceptions, drivers such as compliance and risk management. Find friends in high places. Next, prepare a business case with a cost-benefit justification for the awareness program. Demonstrate that the multitude of benefits from enhanced security awareness will far outweight the costs of delivering the program, and work with those friends-in-high-places to persuade their peers. [There's a generic business case paper on our website too.]

Good luck!

Gary.

The comments to this entry are closed.