Ours is not the only subject area that benefits from awareness in a corporate context. Typical organizations run several awareness programs, initiatives or activities in parallel, hopefully covering information risk and security (or security, IT security, or cybersecurity, or whatever they call it) plus:
- IT/tech awareness;
- Privacy awareness, and other compliance awareness concerning both external legal/regulatory and/or internal policy/strategy obligations;
- Health and safety awareness;
- Project and change awareness (e.g. new business initiatives, new systems, new ways of working ...);
- Commercial/business/corporate awareness;
- Strategy/vision/values awareness;
- Brand/marketing/competitor/industry awareness;
- Risk awareness;
- Fraud awareness;
- Financial/accounting awareness;
- Management awareness;
- Human Resources awareness, including discrimination, employment practices, motivation, team working, violence in the workplace, disciplinary processes, capability development, stress management etc.
I've called them all "awareness" but in practice they may be known as "training" or "education" or "information" or "support" or "mentoring" or "competence enhancement". Aside from the obvious subject matter differences, they also vary in terms of:
- The audiences (e.g. managers and/or staff, company-wide or specific sites, departments, teams or individuals);
- The delivery mechanisms (e.g. courses, meetings, seminars, lectures, Intranet content, leaflets, one-on-one ...);
- Formats and styles of material;
- Push and/or pull (e.g. information gets disseminated out to the audience, or is available on request from audience members, or both);
- The timing (e.g. one off, annual, quarterly, monthly, weekly, daily, ad hoc/sporadic);
- The learning objectives (e.g. strict compliance may be a primary or secondary goal: there may be business or personal objectives too).
So far, I've only mentioned the typical corporate environment but awareness is a far broader concern. For example, there are many government-led public awareness activities ongoing, most but not all relating to compliance (e.g. tax, speeding, health, schooling), and several industry, focus-group and commercial awareness activities (not least the enormously active field of marketing, advertising and promotion).
Thinking about the above, it's obvious that there are many ways to skin a cat and many cats to skin ... which hints at two approaches to advance the practice of security awareness:
- There are clearly loads of ideas out there on how to 'do' awareness with an enormous variety of approaches in use right now. A little research will reveal many nuances and variants, including ideas stemming from the underlying psychology of education, influence, motivation and coercion, and creative approaches (such as social media, a massive growth area for at least the past decade - this very blog for example). Would you consider exploring and maybe trying some of them out? If not, is that because you are stuck in the groove, doing the same old stuff time after time through habit or because you (or your boss and colleagues) lack imagination, or are there other reasons/excuses (such as lack of time and budget)? How about starting small with little changes, maybe experimenting with new formats or delivery processes?
- Many of the ongoing parallel awareness activities share common ground, hence they could usefully be aligned and coordinated to make the most of their pooled resources ... except this is very rare in practice: it's as if every awareness team or person is selfishly pursuing their own goal. Some even talk of 'competing for head space', making this a competitive rather than cooperative activity. Why is that?
Coordinating and collaborating on awareness is something that fascinates me. In our own little way, we actively encourage customers to liaise with their professional colleagues who share an interest in the monthly topic - for example May's email security awareness topic is of directly interest and concern to the IT department. The idea of collaborating with awareness and training colleagues on a much broader level suggests forming and exploiting social networks, and tapping into other fields of interest such as advertising and education. Innovation is an excellent way to stave-off boredom and improve the effectiveness of your security awareness program