The Value of Branding Your Security Awareness Program
While we have installed firewalls, intrusion detection systems, robust anti-virus and anti-spyware solutions, and strengthened authentication methods, we have still largely ignored security awareness training. And when I say ignored, I mean that most companies now have an Acceptable Use Policy in place that employees have to sign upon employment, but thatâ€™s where the effort stops.
I have been responsible for developing and delivering security awareness programs in both the private and public sectors. And itâ€™s not as easy as it sounds. Itâ€™s not simply about putting up posters in every office hallway and break room. Security awareness programs are about changing culture. But, how do you change culture?
There are several things I have learned along the way. Security awareness training must be a C-level sponsored program with resources allocated to it. While the responsibility for security resides within the IT or Security organization, marketing a program is decidedly not in the typical skill set of IT or Security departments. These are what I believe to be the two primary reasons why security awareness programs never get off the ground: no support from the top and not the right people developing and managing the program.
If you have the top level management support and the promise of resources (people and money) then you can walk up to the start line in developing a program. I have tried various approaches.
In one case, I hired a consultant to come in and work within the information security organization to develop the program. The consultant had a strong IT background and had been responsible for rolling out enterprise-wide global IT programs for very large companies. It seemed like a good idea at the time, but I learned that we had no relationship with the marketing and advertising organizations within the company. The consultant could not seem to make inroads with those organizations we felt to be critical to our success in delivering the program developed.
In another case, I developed a question and answer survey and distributed to employees to find out exactly where the gaps in their information security knowledge was. The purpose was to then design a program around their needs. Why spend time on teaching how to create the perfect password when employees got that under their belts two years ago? Again, is this the type of work that should be going on within the security organization? No.
I came to the conclusion that security awareness programs belong in the marketing and advertising departments. Those departments are experts (hopefully) at branding, developing â€œthe messageâ€, surveying customers, and most importantly changing customer perception about the company or a product. Let them decide how posters, flyers, videos, emails, meetings, free t-shirts and ice cream fit into the program.
Think of some of the major advertising campaigns of our times and think about how they changed your perception and level of understanding about an idea or a product. That is how you have to think about implementing a security awareness program.
I recall an advertising campaign from the 1970â€™s, ran by the Coca-Cola company. The television ad showed a group of people from all cultures standing together on a hill, holding hands and singing, â€œIâ€™d like to teach the world to sing, in perfect harmonyâ€¦â€ The advertising campaign was called "I'd Like to Buy The World a Coke".
To this day, I still ask for â€œCokeâ€ when I want a soda and I am sometimes asked â€œIs Pepsi okay?â€ You see, to me there is no such thing as Pepsi. There is only Coke. Coke is a brand name, but for me it is synonymous with the dark, sweet soda I like to drink.
A successful security awareness program is personal, fun, and integrated into the culture. You want employees to behave in a way that ensures the security of your company. You want them to drink Coke. Think about it.