Welcome to the SecAware blog

I spy with my beady eye ...

12 Jul 2010

Rejuvenating a security awareness program

Regardless of whether your security awareness program is barely off the ground or has been running for a while, we all come up against barriers from time to time.  It can be very dispiriting for those of us tasked with “doing awareness”, leading to a drop in our morale and energy but fear not brave awareness person!  With a bit of creative or lateral thinking, there are all sorts of things you can do to bring your program back on track.  Here are six ways to tackle those barriers.

1.  Hit the barrier head-on
This is exactly what we normally do.  We ‘try harder’ and ‘have another go’.  Sometimes it works but occasionally, when we’ve hit our heads against the barrier and bruised our ego once too often, we realize it is no longer working and something has to change.  This is the trigger to take stock of the situation and plan something different – whether subtly or radically different is up to you.

2.  Overwhelm the barrier
This involves more than simply ‘more of the same’.  Be prepared to experiment, trying different approaches in areas where things have not gone to plan previously.  Think back at what has gone well and what hasn’t (and review your feedback forms if you have been using them), and learn from your experiences e.g. if your awareness seminars often seem to fall flat with poor attendance, try organizing “Q&A sessions” or “brown bag lunches” or whatever instead.  Consider inviting outside speakers or charismatic insiders to speak on security topics.

3.  Call in the cavalry
Did your CEO or Board of Directors originally support the proposal to invest in an awareness program?  Have they since quietly disappeared into the background?  Now’s the time to call on their proactive support!  Explain that you believe the program is flagging because they are not playing an active part in it, and suggest some practical ways in which they can help.  Appeals of this nature are best put face-to-face.  In conjunction with your line manager, see if you can schedule a short meeting with the CEO to explain what is going on and seek her assistance.  Prepare a shortlist of specific suggestions to answer the inevitable question, “What do you want me to do about it?”

4.  Undermine the barrier
Be realistic.  Are you overstretching yourself?  Maybe it’s too much work to keep up with the variety of topics you need to cover.  Perhaps you are spreading your effort too thinly.  Take another look at your awareness plan: are there topics you can combine or set aside for a while as you gather your strength?   Do you need help from other experts in internal communications, training or security?  Even if you cannot secure permanent resources, a heart-felt appeal to your colleagues (including your ‘awareness ambassadors’) may only secure you an hour or two of their time but that may be just enough to set you back on the road to success.  Students, contractors and consultants all have their place so don’t get fixated on permanent headcount.  Are there pieces of work that eat your time but could be packaged up for someone else to do (like, for example, NoticeBored)?

5.  Go around the barrier
Sometimes the problem stems from an individual person or function that always seems to be in the way.  Can you identify the blockage?  Have you tried to discover what is the reason they are blocking you?  Have you discussed things openly with them?  Have you tried reasoning and bartering (“If you’ll agree to promote the security awareness program, I’ll give you an hour a month to help with your intranet website”).

6.  Take another route
Think parachute drops into enemy territory.  Try picking up on other awareness and communications activities in the organization and learning from them.  Is there maybe a safety or legal compliance program in place?  Are there opportunities to combine efforts on specific topics of common interest?  How about planning a joint seminar, or back-to-back seminars?  Have they got expertise and ideas you could capitalize on, and vice versa?

No comments:

Post a Comment