Q. I have a security awareness program in place but am unsure it's all it can be. In your experience, how did you determine which risks to build the program around? Which awareness initiatives provided the greatest value overall to the company? How did you test effectiveness? How did you get senior management's buy-in for those initiatives?
A. One of the best ways to answer these questions is to discuss them with senior management in each business segment of your company. Determining risks will require an examination of your company's business plan, identifying the most significant assets and deciding which issue or loss would do the most damage to your brand name. Gaining the participation of business segment managers will not only help you focus your limited resources in the most productive direction, but will assist in developing business focused partnerships to help ensure the long term success of your security program. Keep in mind the security awareness program is for the employees/associates and should address their perceived needs.
Let's use travel security as an example as a risk your company has determined as one that requires an awareness program because the company’s greatest asset is employees/associates and the greatest threat to employees/associates occurs while traveling on company business. The focus would be to develop an awareness program around travel security to help employees/associates to be aware of potential risks and to recommended proactive methodology. Addressing the basics is the best approach for a travel awareness program. This would obviously include awareness of surroundings, avoiding certain areas or events, and so on. However, even with the most well thought out awareness programs undesirable events can still occur. Your awareness program should include recommendations for post event actions to expedite recovery and minimize business disruption.
The issues to address in an awareness program are often beyond the control of your company. In our example, a medical emergency in a third-world country could result in business disruption for the company and significant stress for the employee's family. This may require coordination with or a request for assistance from other private entities or government organizations. Examining your awareness program to ensure proper recommendations for appropriate actions for an unforeseen event beyond your control will assist in management and employee acceptance - an initiative that provides the greatest overall value for the company and the employee.
Your travel security program will obviously be more detailed when focusing on senior management travel awareness. This may include, but not be limited to, pre-travel briefings, on site assistance, vetting outsourced assistance provided and other special resources needed.
Choosing the most effective method of communicating your awareness program will help ensure acceptance and positive results. This may be through an inter-company security website with links to external security resources (for example, OSAC and/or a contract security intelligence vendor). Posters, bulletin board notices and inter-company memorandums are also productive communications tools. An effective method of communicating your program and its benefits to the traveling employee is to hold employee awareness sessions.
An efficient approach to gain senior management approval is to receive a copy of the individual travel itinerary for every employee traveling outside the country on company business at the time the ticket is issued. Sending a well thought out security awareness program document and offering individual briefings to each of these travelers will certainly enhance your program, its acceptance and its effectiveness.
The best way to test effectiveness of your program is to communicate with those who have received and used the awareness program. Sometimes called an "after action review," interviewing employees who have traveled on company business may be helpful. Employees who have actually received the awareness program and utilized the information provided can be your best test of effectiveness and will assist in improving your product.
The above considerations are generic in nature and are not intended to be the panacea. Each company has its own culture and specific manner for processing and managing programs. These considerations are intended to be food for thought as you develop and grow your security awareness program.
Answer provided by Randy Uzzell, Security Executive Council Emeritus Faculty.
Those are good questions and answers, but I'd like to add something.
1. Which risks to cover?
Personally, I prefer to cover as many relevant topics as reasonably possible rather than investing loads of time on just a few. As to how to choose which risks to cover, there are loads of potential awareness topics: we work with about 30 (see www.noticebored.com/html/topics.html) while Rebecca Herold lists about 60 in her book "Managing an information security and privacy awareness and training program" (highly recommended!). From those lists or your own, pick out things that are topical and relevant in your organization, for example issues that have led to recent incidents. You don't necessarily need to plan the entire sequence of topics right now, just the current (being delivered) and next one (in preparation) would be enough. That way you can respond to incidents and issues as they arise, and adapt the program to reflect experience.
2. Best value initiatives?
A managed, rolling/continuous security awareness program is a good start but to make it exceptional, factor in the need to address different audiences within your organization - for example, staff, managers and IT professionals. They have different awareness needs, so cater to that with targeted materials written in a style that meets their needs. [There's more at the NoticeBored.com site.]
3. How to test effectiveness?
That's a can-o-worms! In conjunction with your management, you need to figure out the targets for the awareness program and then derive the corresponding metrics. Actually measuring stuff is likely to involve things such as employee surveys and tests but with some creative thinking, you can probably come up with other measures (e.g. page views on information security's intranet web site, showing how each awareness topic stimulates interest in the corresponding awareness materials, policies etc.).
4. How to get management buy-in?
Two suggestions here: first, start working on management's level of security awareness. Talk to managers about their security issues. Find out about things such as policy exceptions, drivers such as compliance and risk management. Find friends in high places. Next, prepare a business case with a cost-benefit justification for the awareness program. Demonstrate that the multitude of benefits from enhanced security awareness will far outweight the costs of delivering the program, and work with those friends-in-high-places to persuade their peers. [There's a generic business case paper on our website too.]
Good luck!
Gary.
Posted by: Gary Hinson | June 25, 2008 at 08:00 PM