Often when I start an awareness program with an organization, the initial response is this will be simple. However, after I sit down with them and ask them a variety of questions, such as why they want such a program, what are the goals, who are the targets, and what are the key topics they want to teach, things quickly get more complicated. All the sudden deploying that firewall or configuring that IDS sensor looks a lot simpler. That is because with awareness you are dealing with humans, and humans are an extremely complex subject. In addition, to add to the complexity every organization has its own unique culture, requirements and structure. Combined, all the elements have to be taken into account when building an awareness program.
The key element in any awareness programs (and this is where most organizations fail) is that awareness is all about communication. To have a successful program, to really change people's behaviors, you have to effectively communicate. Unfortunately, we security geeks do not excel in that area (and thus part of the problem). In general, there are three key areas for communication, and I will be discussing each of these in more detail in the coming posts. The three key areas are
- WHO you will communicate to. WHO you are targeting greatly impacts WHAT and HOW you will communicate. In general most organizations do not even consider this point, they only focus on employees.
- WHAT you will communicate. In general, this is the one area organizations do well in. The one common mistake I see is organizations trying to communicate to much. Prioritization is key here.
- HOW you will communicate. This is where most organizations blow it. Most awareness programs treat people like 3rd graders with nothing more sophisticated then some power points online. This is the YouTube generation. To reach your organization you need to professionally package your message. Here you have to think like marketing not geeks.
I'll be going into much more detail in the coming posts on these three points.