QUESTION: How can I keep employees engaged in security awareness (long-term) without desensitizing them to awareness messages?
While it is more work, you need to switch up techniques and messaging on a regular basis. Also, consider programs where your intended audience becomes engaged rather than simply reading something or answering questions.
Develop campaigns that require participation, such as games or contests. Send these out as timed events instead of letting them languish unnoticed on an internal intranet page.
Another thing to remember is to make the awareness communication relevant to them personally. While the goal is to protect business assets, we tend to remember things better when they are specific to our own situation.
Your awareness strategy is a cornerstone of your program; don't let it atrophy.
You achieve alignment by partnering not only with corporate staff functions, but also with line or operational functions, in order to apply your limited resources in the most efficient manner to achieve business unit and/or corporate goals and objectives.
During this partnering process, you will discover more opportunities to have input into other areas, through business meetings, for instance, or by providing timely reminders to the group's intranet or department newsletter.
These opportunities enable you to further project security awareness messages to the enterprise in a variety of ways without desensitizing them to the important message that security is everyone's responsibility.
If the audience is the CEO or other C-suite executive, you have to understand the business in his or her terms, what his or her level of interest is, and what level of abstraction around the issues he or she can tolerate. Tailor content accordingly and be efficient in delivery.
For business unit leaders or product line managers, you have to know what their markets are, what the products are, their product pipeline, their profitability and finances, so you can deliver an awareness message in language that interests them and is linked to business results.
This way, they can immediately translate the value in their own language. It is a tailored approach, landing a clear security message premised on a solid understanding of the business.
The way we become creative is by using many vehicles, not just one. We use targeted brochures in multiple languages, weekly intelligence reports, and we also work with a Security Board of Directors through which we put the various businesses in charge of what our strategy is.
If you are out there truly attempting to help business leaders meet their forward-thinking objectives and helping them with solutions on risk, you become part of the solution, and from that comes the credibility that enables you to continue with the process of creating awareness across the entire employee population.
NEXT MONTH'S QUESTION: How can I best prepare to interview for an executive-level risk or security position?
For more information about the Security Executive Council, please visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the SEC and reprinted with permission. All rights reserved.
