We now get to the third and final part of communicating your awareness program, HOW. For any successful security awareness program, I feel this is the most important part. Unfortunately, I also feel this is the part most organizations screw up, resulting in an ineffective program that does more harm then good. The reason is simple, very few organizations put any planning or effort into it, good communications is hard. In a way it is a totally different mind set for security geeks, this is more marketing then security. Lets start off with some of the most common problems and challenges. In later postings I will describe how the challenges can be overcome.
- Marketing: Lets be honest, to date most awareness programs in the past have not been that great. The overall content different organizations want to teach tend to be similar, but how we, the security community, have taught those concepts has frankly been embarrassing. Silly posters that look like our kids made them with crayons. (as if posters alone are going to make an organization secure). Mind numbing training videos that were created with power point and require the end user to click through slide after slide after slide. Newsletters that are as exciting to read as legal documentation in your mortgage application. Awareness is all about communicating to people, stop thinking like a security professional and start thinking like marketing. Create newsletters that are professional looking, easy to read and straight to the point. Deploy online video training that looks like it was actually created in the 21st century. Remember, we are dealing with the YouTube generation they have extremely high expectations. If you are going to do on-site workshops make them fun and engaging, have presenters that have speaking experience or at least training. All of this is extremely hard and that is why so few organizations do it. But like any good product, the key to getting anyone to listen is an effective marketing campaign.
- Language: Now, as if HOW was not hard enough, there is another twist and that is customization. You have to customize the materials for your intended audiences. For example, one of the most effect ways to reach people is to have the training in their native language. This means having materials translated, which is once again much harder then you might expect. Do you want European Spanish or Latino Spanish? Do you want traditional written Arabic or local spoken Arabic? Even accents play a huge role (American versus British). In addition, once you translate materials this can have a huge impact on how the materials looks, even for something as simple as a newsletter. For example, when you translate a newsletter (or any material) from English to Polish, Polish takes up almost 30% more space to say the same thing. Arabic on the other hand takes up 30% less space (and is written from left to right, which can radically alter any graphic designs). In addition, many languages have unique translation challenges. For example, in Norwegian the word 'safety' and the word 'security' are the same word, which can make translations more difficult (this is actually a challenge many languages face). The closer you can translate your message to to your target audience, the more likely they will connect with your message.
- Content: Language is not the only thing you have to translate, so to does the 'content'. For example, you can have the exact same topic being taught in the exact same language, but the vocabulary will change depending on the audience. We recently worked with an organization where all of the content has to be re-written using more educated vocabulary. Most of the employees had a minimum of a graduate degree, this meant the language we used had to be at their level. On the other hand, some cultures care less about what the actual content is and care far more about how the content looks. Some cultures feel that if the materials do not look professional, then they must not be professional and will not even bother reading them.
- Culture: Another issue is not to offend the local culture. For example, a lot of awareness material is developed in the United States, simply because it is one of the largest markets in the world. Unfortunately this means a lot of awareness training is US centric. Things that you may think are not a big deal are. For example, if you are showing examples of currency in a training video, don't just show US dollars, but Euros, British Pounds or UAE Dirhams. If you show maps of the world, be sure to show maps that are local to your audience. Also, if you show people in local dress you may have culture conflicts. What people commonly wear in Brazil is different then what people wear in Oman. It is differences like these that will make a huge impact on your awareness program.
These are just some of the more common challenges we face. What suggestions do you have for effective communication of your awareness program? What has worked best for you? In the following postings I will suggest some simple yet effective ways to address these challenges.