After a busy week away at the ISO27k meeting, I'm catching up with the day-job, working flat out to complete the email security awareness module by the end of this month.
Yesterday, the professionals' seminar slide deck came together nicely:
It's not quite finished yet but the 'story' behind/linking the slides is taking shape.
We've incorporated a mixture of graphic images, diagrams and recent press clippings to illustrate and enhance the content. Notice the near absense of bullet points, avoiding 'death by Powerpoint'. There are a few paragraphs of text quoted in the press clippings (which, we believe, are relevant, topical, interesting and worth it) but most slides use striking visual imagery and strong colors. The idea is for a seminar leader, presenter or facilitator to explain and talk about each slide, conversing and interacting with the audience, where appropriate expanding on the literal content of the slides, interpreting things in the particular context of the organization, the audience and the individuals present, perhaps going off-script to pick up on specific matters of concern and interest.
If we simply wrote out a bunch of bullet points or paragraphs, there would be a tendency for presenters to read them out word-by-word, a very tedious and boring approach for all concerned. Worse still, it would be harder for them to ad lib, for instance picking up on corporate strategies and policies, current incidents, applicable laws and regulations etc.
Someone (who shall remain nameless) actually did that at the ISO27k meeting last week. He read out the entire contents of several wordy slides, verbatim, destracting us from reading and contemplating the content ourselves and so, in a sense, detracting from the value of the slides. We would have been better off without the presenter! To give him his due, it was a formal meeting and I strongly suspect he was asked to present someone else's unfamiliar content. He did seem uncomfortable in that position, a shame given his presence, expertise and ability to project quite strongly. Personally, I got far more value from the nature of the presentation than from the content.
Anyway, the slides above illustrate a distinctly different approach. The scope diagram, risk graphics and mind map, for instance, are meant to intrigue as well as inform the audience. The 'speaker notes' accompanying each slide (not shown here) pick out the key points that we hope the presenter will emphasize, preferably NOT by literally reading out the speaker notes verbatim! We want everyone to contemplate the meaning for themselves: in so doing, they will internalize the key messages, reconsider/adjust their perspectives and ultimately behave more securely, which is of course the ultimate aim of security awareness.
If the awareness approach has no impact - if the materials and activities don't improve workers' decisions and behaviors, we might as well not bother. To put that anotehr way, lame (as in inept, inappropriate, ineffective, boring ...) security awareness and training approaches destroy value. This is why some people say awareness doesn't work. They're doing it wrong!
To be fair, it takes a lot of effort to design and develop good seminar materials, to find, incorporate and reference those press clippings, prepare the risk graphics and mind maps etc., and most importantly clarify the 'story' and the messages we want to express. We've had lots of practice, producing at least 3 awareness slide decks per month for many years and presenting frequently at conferences and courses ... and also (as noted above) attending and critiquing presentations by others. Aside from the conferences and courses we have attended as punters, we have given and received numerous management and group presentations (e.g. audit reports, board presentations, phone meetings and video conferences), webinars and sales pitches over the years, and we've read the odd website, article and book concerning presentation and communications techniques. We observe TV and radio presenters doing their thing, thinking about their differing approaches and styles. We are still learning and improving, all the time discovering new techniques to explore and adopt as well as those to avoid like the plague. We're continually investing not just in the product but also the production methods, approaches and tools, not least our own competencies and skills. Genuine, honest, especially constructive feedback from others (yes, you!) is gold dust for us.
Hopefully you are getting useful hints and ideas from this blog. Thank you for taking the time to read this. I hope I've made you think. Anything you'd like to add? Comments are open ... over to you ...