A series of 3 monthly blogs from Mo Amin and ‘Restricted Intelligence’.
Just as we are all as individual as the stars in the sky or the coffee options available on the high street, no two organisations are the same. Some are huge with hefty resources but little flexibility, others are small and light on their feet, but lacking relevant expertise. Some have whole squads dedicated to cyber and information security, others need a specialist to helicopter in and take the pain away. So, wherever you find yourself on this glorious spectrum, here is some hands-on, lived experience to help deliver a custom-built awareness campaign that is both effective and sustainable.
PART 1: UNDERSTAND YOUR ENVIRONMENT
Find your behavioural baseline …
The first step is a dose of humility. You have to appreciate that an organisational culture already exists. Within this there are separate micro-cultures across different business units whether that be Finance, HR, IT, Marketing or Sales. You have to recognise and understand all of this. More than that, it’s a mistake to expect these existing cultures to adapt to your programme. It is absolutely your job to tailor your security culture programme to what exists. People are busy, they have their own deadlines, their own agendas. It’s very unlikely that Information Security is the thing that keeps them awake at night.
How? Run a security culture survey study.
Whatever you do, don’t actually mention the word ‘survey’ in your comms – people have ‘survey’ fatigue in most organisations. It’s the annoying sort of thing you get after booking a hotel or after they change the menu in the staff restaurant. ‘Study’, on the other hand, brings credibility and substance because this is important stuff, that can save a business or organisation precious time and money. Your ‘study’ will enable you to get a picture of existing behaviours: from team dynamics and competing objectives and attitudes, to local security practices. It will also shine a light on local risks and pain points. It will help you establish where you are at the moment and pinpoint where you want to be. Crucially it will inform your route to get there. The study is a holistic thing, comprising two distinct but complementary activities, that can be used to build a complete picture.
Survey – the quantitative bit – to gather data. Make sure to test your survey with a sample group before it goes live! Don’t make the same mistake I did once and leave an obvious error in the questions!
Focus groups – the qualitiative bit – to tease out the human story behind the numbers.
Thinking in terms more familiar in the PR, Marketing or Advertising field helps create the most helpful mindset. Campaigns are planned, they have a carefully thought through sequence of events, all with a simple defined end goal – maximum impact to the broadest demographic. As they say, timing is everything, so pick a start date and set out a sequence of activities, giving yourself time to get everything in place.
Create a netwok of allies. Involving the right people – HR, Legal, Internal Communications – will give a rocket-fuelled boost to your activities. Internal Comms, however, will need to be your closest allies – turning to them at the last minute for help with a campaign is going to fail – I speak from bitter experience. Likewise, If you have a security champions/ambassadors network – make this a key activity for them to help promote and run. And of course, If you don’t have a network yet, you can use this opportunity to create one. You are expecting people to work on your behalf and be your ambassadors. Their goodwill and energy are precious resources, essential to the success of current and future campaigns. So, think about incentives – what can you offer to encourage them to take the survey and attend the focus group? The array of possibilities is endless from a cool themed re-usable coffee cup to cinema tickets. It shows you care and that the campaign matters.
After the party
There’s absolutely no point in going to all this trouble if you don’t squeeze the last bit of juice from the results. But more important than that, make sure they are meaningful to the business. It will be dead in the water if you don’t think in these terms and massively increases the chances of uptake. Make your results visible and visual in a report. Be open and transparent with your results – Share them on your intranet page:
o What we found
o How we will be using the results to inform our programme
o What activities/events/training you can expect – for example episodes of
Thanks for reading. I hope this blog post has got the cogs whirring. Next month in Part 2, I’ll be focussing on the crucial next steps – ‘building trust within the organisation’ and ‘branding your team’. Til then have a happy, safe and secure ‘Cybersecurity month’!
Mo Amin is an independent security culture consultant
‘Restricted Intelligence’ is an Information Security Campaign delivered through 5 Seasons of highly entertaining short sitcoms. www.restrictedintelligence.co.uk