Most of the people wonder what is the best way to implement information security into an organization which can ensure a swift and radical change management at the same time; core technical tools, a SharePoint portal, a website, a lecture by the top management, or recognition during the annual appraisals? The answer is may be YES but these are only some tools but not the whole of the required solution. As a matter of fact, most of the organizations fail to effectively and successfully roll out an information security program just because all stakeholders are not on the same page and the implementation is not “well planned” and if it “does not speak the language of the audience”.
I hope you will agree that implementing a management system requires a lot of formal and informal efforts as every management system comes with its own set of requirements, policy level changes or changes in ways of doing something. In some of the cases, either the way of doing something in a traditional manner entirely changes (e.g access management) or something not considered to be very important now becomes a mandatory requirement by virtue of the standard e.g risk assessment. Hence it is important that all requirements of a management system are carefully understood, a proper training and awareness plan is designed and appropriate mediums are selected to ensure that all stakeholders are on the same page so that desired results can be successfully obtained and the organization may get its ROI as planned.
My whole of information security implementation experience being at Business Beam tells me that an effective information security program cannot be implemented without implementing an effective and innovative employee awareness and training program to address policy, procedures, and tools according to their individual specific needs. Quite often security professionals implement the “perfect” security program, and then are surprised that it fails because they forgot to sell their product to their constituents! So I believe that in order to be successful, the information security professional must find a way to sell this product to the customers. And this by all means can be achieved with the help of an effective and innovative employee awareness and training program as I mentioned previously.
In my view, development of information security policies, standards, procedures, and guidelines is only the beginning of an effective information security program. Employees want to know what is expected of them and whom to turn to for assistance. Hence your ongoing information security awareness program should provide those answers to the user community. Another key goal of an awareness program is to ensure that all personnel get the message. However a “fit for all” training or awareness program will not meet the desired expectations. As a matter of fact, you have to read your audience and have to convey your message in their “own language”. Keep it short, simple and benefits oriented to win the buy in of your audience.
So what I am trying to establish is the fact that each group of employees requires a different language, different timeframe and a different approach to security awareness presentations. So “tailor” your awareness programme accordingly. And how to do it, let’s have a closer look on some of the tips below:
Remember! Senior management is always busy. We all do agree that senior management has less time, even for issues as important as information security. So all you need to do is to prepare a special brief, concise presentation and have available in-depth supporting documentation. They generally prefer that the presenter sits with them for a few minutes and discuss the issues and how the security program will support their objectives. They don’t want to sit for hours and listen to you and to look at your fancy presentations. Hence quickly explain the purpose of the program, identify any problem areas, and what solutions you propose. Suggest to them an action plan and do not go to them with a problem for which you have no solution. You are the expert here and they are expecting you to come to them with your informed opinion on how the organization should move forward.
These individuals are focused on getting their jobs done. They are also busy but can spare time for you if this information security initiative is being driven from the top. They will not be interested in anything that appears to slow down their already tight schedules. To win them over, it will be necessary to demonstrate how the new information security controls will improve performance processes. Stress how the new processes will give the employees the tools they need (such as access to information and systems) in a timely and efficient manner. Show them the problem resolution process and who to call if there are any problems with implementation of the new processes. An impression of being there as a helping hand greatly helps. Above all of that, your newly introduced processes should be simple and efficient rather than becoming a source of work or time overhead.
Use soft tone to convey your message by linking the benefits with the newly introduced controls rather than dictating your terms. Otherwise you will never succeed. Identify what is expected of them and how it will assist them in their future e.g. gaining access to the information and other resources they need to complete their assigned tasks. Point out that by protecting access to information, they can have a reasonable level of assurance that their information assets will be protected from unauthorized access, modification, disclosure, or destruction. This means that you have to show them the benefits in a very loud and clear tone otherwise, your system will be considered as an overhead only!
What should be your message?
The employees need to know that information is an important enterprise asset and is the property of the organization. All employees have a responsibility to ensure that this asset, like all other company assets, is properly protected and is used to support management-approved activities. This should be the baseline. The awareness program will allow employees to be made aware of the possible threats and what they can do to combat them.
- Prioritize the message as per the audience
- Select the most pressing issue from your systems list or a topic that the Information Security Steering Committee has identified as vital
- Know who you are talking to and provide them with information they can use and understand
- Tailor the presentation to the vocabulary and skill set of the audience
- Keep the awareness sessions as brief as possible. It is normally recommended to keep the sessions to no more than 50 minutes
- Start your session with an attention-grabbing piece such as the chief executive’s video message etc
- Understand their needs, knowledge, and what the job roles of the attendees are
- Stress the positive and business side of security
- You will have to sell them the concept that security is good for them
Hence information security program is all about being simple and tailored as per needs of the audience. You can have a guaranteed success if you are speaking the language of your audience and showing them benefits by and large. This will help you to have a sustained success in the short and long terms.
For comments & feedback: [email protected]