What makes an information security awareness programme effective? As in most cases the answer is “it depends”.
Let me elaborate; if your goal is simply to obtain that magic compliance tick then maybe you’ll use some form of computer based training (CBT) coupled with some quizzes and possibly a few videos on your intranet page and bingo you’ve ticked the box! As an industry we are still heavily reliant on tools or packages to train or educate staff and make them security aware. However, these are rarely used within a defined and structured manner. Don’t get me wrong CBT’s, quizzes and videos are great tools but they should be used as part of your programme, not be the entirety of it. Actually, I don’t believe most environments need to train or educate their staff on security issues – I think that’s outdated approach. What they need to do is elevate their current level of security awareness to foster a more security conscience approach to their work and ultimately work toward building security culture.
Changing behaviours and building security culture is only possible when you understand and appreciate your existing organisational culture, look at how the different personalities within your organisation work and use a structured and measured approach and building security culture is no exception. Below are a few points that I think are important when you’re seeking to influence and affect change:
Buy-in – It’s become such a cliché because it’s true. You need “the trust from the top” Yes it’s about the funds but more importantly it’s about the support, the belief that it will make a difference and that ultimately it’s about enabling the business.
Understand and respect your current organisational culture – If you step back and think about the different departments in your business, the tone management sets, the different roles and responsibilities, you’ll see the different personalities that exist. The key is to appreciate the daily activities that go on, what their key motivations are, what they need to deliver, and what their objectives are. When you appreciate this you can then look at how best to tailor security messages for them.
Know where you want to get to – Look at your current level of security consciousness and think about what’s ideal for yourenvironment not anyone else but yours. Define and set achievable goals, use campaigns that you can use as measures of success and target them at a particular department. Ultimately your campaigns can become your programme. A small campaign is easily structured, managed and measured and when that’s a success at you can replicate across different departments
Involve the right people – Odds are that you already have the majority of skills and experience you need in your organisation it’s just a case of building relationships, being transparent about your objectives and working together. Seek assistance from departments such as HR, Marketing, PR and Legal these are departments that can help package your activities in line with corporate standards.
Prepare, plan, execute, review and repeat – If you already run projects and maybe even programmes you’ve already got the skills there to utilise and work with. Odd’s are that you already have a security improvement plan of some sort or something similar is about to be launched, it’s a great place to start aligning these activities with that
Understanding that it’s an ongoing programme of work – When you’re building security culture in your organisation be appreciative of the fact that it needs to be a dynamic activity, it should adapt to business and staff needs. If you use the ITIL framework you’ll know about Continual Service Improvement think of this activity in the same manner – Continual Security Culture Improvement.
In essence what I’ve described above is the Security Culture Framework it’s been developed by Kai Roer of The Roer Group. It’s an open framework that consists of four elements namely; metrics, organisation, topics and planner you can find out more about it here – https://scf.roer.com/
A company that has been using the Security Culture Framework as part of their awareness activities is Just East. I caught up with their Head of Information Security, Shan Lee at 44Con and we got chatting about awareness, changing behaviour and security culture here’s what he had to say:
“You absolutely have to tailor any program not only for your organisation, but for parts of the organisation. What works at JUST EAT probably wouldn’t work in a bank, and I don’t speak the same language to our developers that I do to our call centre agents or finance people.
A central theme with a strong message is essential, but it has to be varied according to the target audience, and that theme must be consistently and constantly reinforced through the widest range of media that you can efficiently manage.
Divide the program into manageable chunks, put a clear objective around what each chunk is trying to achieve and find a way to measure its success.
You’ll soon know what’s working and what isn’t, then its rinse and repeat. “
To summarise, I think we as an industry need to appreciate that what may have worked in the past doesn’t work in the present and definitely won’t work in the future. In fact I think we should ditch the term information security awareness and call it security culture.