Our awareness topic for June is in the area of incident and business continuity management.
Although the scope is quite indistinct at this point, it will gradually fall into place as the materials come together and at first broad themes then specific awareness messages emerge during the remainder of May.
There are several aspects of interest and concern, such as:
- Identifying events and incidents
- Reporting them
- Evaluating them
- Triggering incident responses
- Responding appropriately
- Maintaining critical information services, IT systems etc., supporting critical business processes
- Recovering/restoring/replacing broken stuff
- Getting back to normal
- Learning and improving for the next time around
So, straight away, the idea of a loop, a cyclical or repetitive process springs to mind, one that the organization runs routinely with relatively minor events and incidents, practicing and preparing for The Big One ... although I'm thinking there are probably material differences in the approach for dealing with disastrous showstoppers and coincident events compared to the usual everyday run-o'-the-mill stuff, which suggests researching and exploring that aspect, perhaps, for the management and professional awareness streams.
I'm fascinated by the concepts of resilience (keeping vital things going despite stuff going wrong) and contingency (coping with the unexpected, making the best of available resources, doing what needs to be done), so I expect they will feature in the awareness materials. Exactly how and where is yet to be determined.
Information risk and security management underpins all of what we do. Aside from the obvious detective and corrective controls, we probably ought to mention risk avoidance, risk sharing and incident prevention too - but only briefly. The cool part about NoticeBored's rolling/continuous approach to awareness is that we have plenty of opportunities to delve into those other areas during the year/s ahead. We can touch on them in June without having to explain and divert attention from the prime focus. Likewise, when they come up for more in-depth treatment, we can casually refer back to incident and business continuity management, reminding audiences about June's module with barely a word. Oh and in June we might tantalize our audiences with the merest glimpses of awareness topics already planned for July through October.
This is real "refresher training" - not just dusting off and trotting out the same old same old. We're teaching adults to think, not training seals to perform. Rote repetition is fine for learning multiplication tables but not for an area as dynamic and complex as ours. Aside from anything else, it is tedious. Boring even.
On that thought, it occurs to me that a privacy breach would be a good example incident to discuss in June, an obvious reference back to May's awareness topic. The idea is to trigger memories, reinforce conceptual linkages, remind people about the fundamentals and help the audiences assemble the bigger picture. Over time, security awareness levels are lifted and then maintained at a higher level, gradually leading to the deeper cultural changes that our customers are seeking.
Risk management failure is yet another possible angle to consider, both in terms of failures to identify and prevent incidents, and failures of the incident and business continuity activities themselves ... but maybe another time. There's already loads to do for June. As I said, the scope of the module is already starting to crystallize and fall into place, so I'm keeping calm and carrying on.