Welcome to the SecAware blog

I spy with my beady eye ...

4 Sept 2017

NBlog September 4 - InfoSec 101 elevator pitch, final part

Moving on from our discussion of the first two paragraphs of this month's elevator pitch paper in part 1 and part 2, here's the closing paragraph:
As a manager, you play a vital governance, leadership and oversight rĂ´le.  Please make the effort to engage with and support the security awareness program, discuss information risk and security with your colleagues, and help us strengthen the corporate security culture.
In classical marketing terms, it's the call-to-action for people who have been lured and hooked. Having presented our case, what do we actually want them to do?  

Compared to the preceding two, the third paragraph is quite long. 

While we could easily have dropped the first sentence, it serves a purpose. It shows deference to the management audience, acknowledging their influential and powerful status, gently reminding them that they are expected to direct and oversee things. Essentially (in not so many word), it says "Pay attention! This is an obligation, one of your duties as a manager."

The final sentence, including those three words in bold, was especially tricky to write for the InfoSec 101 module. What is it, exactly, that we expect senior managers to do in relation to this very broad introductory-level topic? Think about that question for a moment. There are many possible answers e.g.:
  • Show leadership
  • Demonstrate commitment
  • Support the Information Security Management System (in an ISO27k organization)
  • Get actively involved in information risk and security management activities, such as risk assessment and risk treatment decisions
  • Raise the profile and priority of information risk and security matters
  • Provide adequate resources to do this stuff properly for once (!)
  • Encourage or enforce compliance
In the end, we settled on asking managers to demonstrate their 'support' in a non-specific way. In practice, that would vary between individual managers in various business units or departments. The call-to-action is context-dependent and hence very difficult to specify without an understanding of the audience and their situation, which we don't possess at the point of writing the awareness materials. It should be clearer when the messages are being delivered, and obviously we hope they make enough sense to resonate and influence the audience's decisions and behaviors, otherwise awareness is a pointless exercise.

In other awareness modules, the closing message for the elevator pitch is usually more obvious in that we focus the spotlight on distinct areas of information risk and security each month. For instance, in August's awareness module on cyberinsurance, the elevator pitch ended with a thought-provoking question: "Without cyberinsurance, serious cyber incidents could prove devastating if they occurred: we would save the insurance premium but is that a gamble worth taking?". The call-to-action was implicit rather than explicit. Our words deliberately raise a doubt. We couldn't simply say "Buy cyberinsurance!" as that may be inappropriate and unnecessary for some customers, not least those who already have it. Although more explicit, something along the lines of "Consider taking out cyberinsurance" would have been bland, lame and pathetic. "Is that a gamble worth taking?" is more of an intellectual challenge. In fishing terms, we're trying to get a rise out of the audience.

This month, we've deliberately sown the seed for next month's awareness module on 'security culture'. There will be much more to say, expanding those three bold words into an entire awareness topic. Linking the awareness topics together like this is yet another way to form a series of discrete awareness items into a coherent program, in turn supporting the security culture. 

So, there you go. Over three blog pieces, it has taken me about a thousand words to explain a hundred. Has it prompted you to think differently about management-level security awareness? 

I think it's obvious why short awareness items can take a disproportionate amount of effort to compose. The end result has very few words, but they are very carefully selected for maximum impact and value.

Cue Blaise Pascal:

"Je n'ai fait celle-ci plus longue que parce que je n'ai pas eu le loisir de la faire plus courte."

which Google translates as:
"I have made it longer only because I have not had the leisure [time] to make it shorter."
If you don't have the time and energy to prepare security awareness content, leave it to us! It's what we do - more than just a job, it's our passion.

No comments:

Post a Comment