Today I Googled across a thought-provoking opinion piece in Computerworld back in 2008. Jay Cline's top 5 mistakes of privacy awareness programs were:
- Doing separate training for privacy, security, records management and code of ethics.
- Equating "campaign" with "program."
- Equating "awareness" with "training."
- Using one or two communications channels.
- No measurement.
We've been addressing all those points ever since NoticeBored was launched way back in 2003. It's galling, though, to note that those 'top 5 mistakes' are still evident today in the way that most organizations tackle awareness.
We're doing our best to take current practice up a level through this blog, our awareness materials and services, and occasional articles. Perhaps we need a change of approach ... and we're working on that.
Jay's list of mistakes could be extended. In particular, most awareness programs focus on general employees or "end users". While Jay mentions offering role-based training for particular specialists, I feel that still leaves a gaping hole in awareness coverage, namely management. You could say they are specialists in managing, although there's no hint of that in Jay's piece.
Looking again at the list, all those mistakes could be classed as management or governance issues, being problems in the way the awareness and training programs and activities are structured and driven ... which, to me at least, implies the need to address that. It's a root cause. If management doesn't first notice that mistakes are being made, and then join-the-dots to figure out that the way security awareness as a whole is handled is probably causing the mistakes, then we're unlikely to see much improvement.
So, raising management's awareness of information security, risk, compliance, privacy, accountability, governance, assurance and so forth makes a lot of sense ... which is exactly what we aim to do through the management stream in NoticeBored. If management truly 'gets it', the awareness task becomes much more straightforward, giving the awareness and training program as a whole a much greater probability of success, leading to a widespread culture of security.
That leaves us with a chicken-and-egg conundrum though. If management doesn't quite 'get it', in other words if this security awareness stuff doesn't presently register with them as an issue worth investing in (or, more often, is treated as something trivial best left to IT or HR, with no real support and bugger all resources), then how can we tackle management's lack of awareness and break the deadlock?
I'll leave you now to contemplate that question, as I will be doing over the weekend. Maybe the vague thoughts I have in mind will crystallize into something more concrete for the blog next week. Meanwhile, by all means chip-in through the blog comments, or email me directly. I'd love to know what you think, especially any innovative and effective solutions you can offer. Is this an issue you face? How are you tackling it, or planning to do so?