Some security awareness programs simply broadcast messages at the organization. Messages flow from the Information Security function to the audience - specifically an audience dubbed "end users" in many cases, a disparaging term implying low-level staff who use computers (neglecting all others). A more effective approach, however, is to emphasize social networking and socialization of security as a primary driver of cultural change, with bidirectional communications increasing the chances that the awareness program reflects and responds to the business.
Establishing a strong social network of friends and supporters of information security throughout the organization takes commitment and sustained effort on the part of the entire Information Security function. The payback over the medium to long-term, however, makes it an approach well worth considering. An actively engaged and supportive social network will keep the awareness program, and in fact the information security program as a whole, business-aligned and relevant to current security issues in the organization, broadening and deepening the department’s influence. On top of that, you can achieve far more through a distributed network of supportive contacts than you can possibly manage alone.
Support from senior management is great but, in our experience, many of the most well-connected and influential workers are low-ranking individuals. They are ‘people people’ with the common touch, a natural flair for social interaction.
This is why we're providing a template rôle description for the Information Security Awareness Contact in September's Information Security 101 module to get you started if you decide to structure and formalize the rôle to this extent. That may not be appropriate or necessary, depending on how your organization handles such issues. Speak to your management and HR about the concept before going too far down that line, including aspects such as recruiting, guiding/coordinating, motivating and rewarding people who accept the rôle.
Colleagues in HR, Security Administration, IT/PC Support, Business Continuity, Risk Management, Compliance and Health & Safety may have similar social networks already in place (e.g. departmental reps, fire marshals and first responders). Invest some time in meeting both those colleagues and their best contacts to find out how the arrangements work on both sides, pick up useful tips ... and hopefully make a few solid-gold contacts of your own.