Planting the seed for a security culture program 2/3

– by Melissa Misuraca

2 of 3

SIT Group member, Melissa Misuraca, continues her series of tips about obtaining the necessary support to move forward with a new security awareness program. Don’t forget to check back each week to collect the rest!

Last week, Melissa talked about building the business case for a security awareness program.  This week explores the next steps.

Partner up

Ensure you are partnering with people who have influence in the organisation and who can help you find ways to effectively build a plan and communicate the messages.  In their book “Blue Ocean Strategy,” W. Chan Kim and Renee Mauborgne suggest starting with people who have disproportionate influence in the organisation.  Once they are committed to the cause, they can help shine a spotlight on your program so others get the message too.

Influencers can also provide much needed insight into what will work and what won’t depending on an employee’s role, the channels they can access and the success of other behavioural change initiatives. The stakeholders that will have an understanding of an organisation’s mechanics which include Internal Communications, HR, and Executive Assistants (the latter who are also influential amongst the C-Suite).

Don’t reinvent the wheel

Look for ways to align and leverage existing forums, champions or activities. This can help ensure the message sticks. Opportunities include the quarterly staff roadshow or Town Hall, Lunch and Learn series, Risk or Change Champions network or other activities where there is already a captive audience. Then find ways to incorporate your message.  People will thank you for being respectful of their time and existing commitments if you leverage activities and events that are underway. These forums are also a terrific way to connect to more arms and legs in the organisation, especially if you have limited resources for your program. (Hint: why not join SIT Group and leverage the power of a community of people that have been doing this for over a decade!).

Show me the money

Find out how much money is being spent on technology vs security culture and change.  I’m often surprised to learn when companies are spending millions of dollars on technology but seem reluctant to support a security culture program.  ZDNet released this list of the biggest hacks and security breaches from 2016 and upon closer inspection they all contain a significant human contributing factor, whether it was user error, poor coding, or poor security behaviours. Industry relevant case studies and media coverage can help communicate where things can/have gone wrong and help your business case for funding.

That’s all for this week.  In the final instalment next week, Melissa will discuss;

• Celebrating wins
• Giving people something they can identify with