A security director at a manufacturing company decides that the company's data protection is not where it should be. He focuses on the need to protect against laptop theft. He writes an e-mail that describes the risks to company information and what employees must do to protect their laptops, and then he sends the e-mail to everyone in the company.
Seventy percent of the company's employees do not have laptops. The e-mail means nothing to them. The security director has unwittingly told 70 percent of the people in the company that he does not understand them or their jobs, and he has compromised his ability to influence them in the future by spamming them with unnecessary e-mail.
Meanwhile, the CEO and the EVPs, who also got the e-mail, do not want to read about the specifics of a laptop security program - they want to know what it will to cost and what the expected results will be. The e-mail implies that the security director would like to employ new technological methods of data protection, and the senior leaders see dollar signs. It is a bad economy and the company is struggling. This is not the right time.
Even the operations-level staff and laptop users, who would be directly impacted by the new laptop security program, cannot find the information they need in the security director's message. The operations staff needs to know how the new laptop protection program will be implemented so they can train users and prepare laptops, and the laptop users just want to know why it is important for them. The e-mail does not detail any of those things, so it results in more questions and confusion. Several recipients just delete it.
Bob Hayes, managing director of the Security Executive Council, uses this laptop protection example to illustrate what he believes are often the biggest problems in awareness programs: "They're not lined up to get the right information to the right channel at the right time."
Awareness Is Influence
In the process of developing its Security Awareness Program Tool, the Security Executive Council has discussed the elements of successful awareness programs with many of its members and faculty. Their research has shown that awareness is about much more than getting employees to follow policies and procedures. It is an organization-wide endeavor that involves earning senior management support and multi-level buy-in. When it all comes down, awareness is about gaining influence across the company.
A comprehensive awareness program includes targeted communication with people at each level of the organization, and all awareness efforts must be aligned with the business.
Four Elements of Alignment
If you want to help a group improve in any endeavor, you have to start by knowing what the group and its members are doing, and how and why they are doing it. If you play baseball and you want to improve your team's chances, for example, you have to first know a lot about baseball. You have to know the rules, who plays which position and how they play, the team record and stats, and what the team dynamic is like. If you try to talk to your team without that information, they are going to look at you like you are an idiot.
In the same way, understanding the business is key to getting the right message to the right people at the right time.
As the above graphic shows, there are several elements of business alignment. Security programs - about which you are trying to raise awareness - must be appropriate to the risks, business culture, strategy and direction, and economic situation of the organization. Sometimes aligning across these elements means dropping some projects you personally would like to implement because they do not match the risk appetite of the organization. Sometimes, it means finding less expensive ways to accomplish an important goal. And sometimes it means changing the way you think.