As today is the last day of April, we've been running flat out in top gear all week to complete May's awareness materials on email and messaging security before our self-imposed delivery deadline. There is just one more paper to prepare today while the proofreading is in progress, then we'll package and deliver the materials before taking a breather.
The final paper to cross the line this month will be a management-level awareness piece about security metrics for email and messaging.
It should take two or three hours to prepare, on the basis that I write at about one A4 page per hour on average. If that sounds slow, my excuse is that a lot of thinking and creative effort goes into each piece: I'm not just typing frantically - far from it. The shortest, most succinct and high level awareness items often seem to take the longest to prepare, especially the ones with diagrams and figures.
The starting point for all our materials is a template, an MS Word template in this case with a little boilerplate text, page header and footer, the section headings and two tables in which to develop and describe the metrics.
A quick search-and-replace is all it takes to drop 'email and messaging security' in place of the template's 5 'title' placeholders, and we're off and running.
There's a handy set of Word styles in the template too which I find invaluable in practice: using styles, it's easy to make the document look professional and polished. The fonts, font size, margins, page headers and footers etc. are consistent, both within each document and across the entire module. If for some reason I feel the need to adjust the spacing (e.g. to squeeze an extra line onto a page), I update the style's settings to have it instantly applied to all the text using that particular style.
The really nice thing about styles is that customers can just as easily adopt their own corporate look-and-feel. Changing the main text from 12 point Calibri to, say, 11 point Ariel or 12 point Times New Roman, and making the headings 20 point italics instead of 16 point bold simply involves modifying or replacing the styles accordingly. It's a small but important part of making the awareness materials 'theirs'.
We actively encourage customers to replace the NoticeBored logo with their own, whether a corporate logo or one specifically for information security. The idea is both to brand and bind all the awareness materials as a coherent set, and to link them to the organization, specifically, rather than being some generic product. Simple customization (such as mentioning relevant corporate functions, policies etc.) is straightforward too, so the awareness content that eventually goes out to their employees appears to have been prepared in-house by their information security people. It should resonate with the audiences better than some anonymous newsletter or sterile infographic.
Our templates and styles have evolved over the years that we've been doing this stuff. We've invested time into getting them right, with a payoff every time we use them. I noticed yesterday that cutting-and-pasting slides between, say, the staff and management Powerpoint presentations doesn't always go smoothly: for some reason, the pasted-in slide titles and numbers don't consistently pick up the destination styles correctly. When I get the chance, I need to investigate the reasons and sort that out.
That's it for now though. The metrics template awaits. How would you measure email and messaging risks and security?