QUESTION: How can I keep employees engaged in security awareness (long-term) without desensitizing them to awareness messages?
Kathleen Kotwica, Executive Vice President and Chief Knowledge Strategist, Security Executive Council: It is human nature to become habituated to stimuli that are repeated or do not change. If you rely on boilerplate messaging, you are sure to set your program up for less-than-optimal effectiveness.
While it is more work, you need to switch up techniques and messaging on a regular basis. Also, consider programs where your intended audience becomes engaged rather than simply reading something or answering questions.
Develop campaigns that require participation, such as games or contests. Send these out as timed events instead of letting them languish unnoticed on an internal intranet page.
Another thing to remember is to make the awareness communication relevant to them personally. While the goal is to protect business assets, we tend to remember things better when they are specific to our own situation.
Your awareness strategy is a cornerstone of your program; don't let it atrophy.
G. Randolph Uzzell Jr., former Director of Global Security, Burlington Industries; Security Executive Council Emeritus Faculty: That's an interesting and age-old question. The traditional way of generating security awareness was to place tent cards or posters in strategic locations. But if we look at it from a more modern perspective, awareness is part of the security function's alignment with the enterprise business goal and objectives.
You achieve alignment by partnering not only with corporate staff functions, but also with line or operational functions, in order to apply your limited resources in the most efficient manner to achieve business unit and/or corporate goals and objectives.
During this partnering process, you will discover more opportunities to have input into other areas, through business meetings, for instance, or by providing timely reminders to the group's intranet or department newsletter.
These opportunities enable you to further project security awareness messages to the enterprise in a variety of ways without desensitizing them to the important message that security is everyone's responsibility.
Dave Kent, vice president of Global Risk and Business Resources for Genzyme Corporation; Security Executive Council member: You have to understand the business of the people you are talking to and deliver awareness material that directly links to their business deliverables.
If the audience is the CEO or other C-suite executive, you have to understand the business in his or her terms, what his or her level of interest is, and what level of abstraction around the issues he or she can tolerate. Tailor content accordingly and be efficient in delivery.
For business unit leaders or product line managers, you have to know what their markets are, what the products are, their product pipeline, their profitability and finances, so you can deliver an awareness message in language that interests them and is linked to business results.
This way, they can immediately translate the value in their own language. It is a tailored approach, landing a clear security message premised on a solid understanding of the business.
Sandy Sandquist, director of Global Security for General Mills; Security Executive Council member: I've got a small department, but we have more than 30,000 employees across the world, of which nearly 50 percent work outside the United States. You cannot raise awareness in a $15 billion company with that many employees with a small staff unless you are creative in doing it.
The way we become creative is by using many vehicles, not just one. We use targeted brochures in multiple languages, weekly intelligence reports, and we also work with a Security Board of Directors through which we put the various businesses in charge of what our strategy is.