Guest Post - Leveraging Social Media for Security Awareness

Editor's Note: John Haren  is the Head of Information Security Governance, Risk & Compliance at Diageo and has responsibility for the company’s Security Awareness program.  Below he describes how they are leveraging social media to engage staff and help drive their awareness program.

Does your organisation use social media internally? If not, perhaps you should consider it as a tool to be used as part of your security awareness program. In the first of a two part blog series I want to give you an overview of our use of social media for security awareness at Diageo. I was aware for some time that social media was a perfect mechanism to help me get some of my security messages to people.

All previous communication with end users had been one way, a “transmit” from my team in various formats. My ultimate goal was to have an option that would help me both deliver content and get some engagement with the end-user population, to facilitate their asking questions and drive a two-way dialog between them and our security team. I also had few effective and simple mechanisms to assess the level of impact with people – were they seeing our content? Did they understand it? Did they like it? Social media offered me a way to assess all of this and then Yammer was selected organisation-wide as the company’s social media option for general purposes. I then jumped on this as an opportunity for our security awareness program. My organisation (Diageo) has taken what I think as quite an ambitious approach with Yammer. In conjunction with our Sharepoint solution, Yammer is used as one of the primary communications vehicles in the company. In our Information Security team we do three things primarily with Yammer;

1. Post regularly (at least several times per week) on a range of topics. I like to focus on topics that are in the media and translate them into what it might mean for Diageo – that also gives me the opportunity to (sneakily) drop in links to key policies, standards & guidelines people can use to find out more. It is also a vehicle for our monthly newsletter which we can’t email to the whole company.
2. Link posts on Yammer to key topics in our annual awareness program. To support the other vehicles of communication (articles, posters, webinars etc.), we use Yammer to hammer the points home and, hopefully, get some dialog going.
3. “Yamjams”. This is what we have called our planned & structured interactive sessions on Yammer. There is no teleconference/audio. It is simply an open meeting which takes place on a designated Yammer group at a particular time. The goal of the Yamjam was to provide an opportunity to ask questions of the Information Security personnel and discuss policy related matters and, hopefully, lead to a greater understanding of the security policy for people by bringing it to life with real examples.

There are of course challenges around Yammer use. We often struggle to get consistent engagement from people on Yammer as many people still see it (and work-based social media in general) as too much of a cultural shift for them. However, key tips to consider which we have found useful to encourage engagement are;

1. Don’t force-join people to your security-group as this is, in my view, against the nature of what social media is all about. If the content is engaging enough people will connect with it and your site will gradually build momentum.
2. Be consistent in how often your content is posted.
3. Make the content interesting and relevant to people and this includes content on protecting themselves at home regarding information security. Make it personal!
4. Pull statistics from Yammer on a regular basis to demonstrate its effectiveness to management as a communications tool. Example metrics include the number of new posts or the number of comments (from non-security personnel) in a period.
5. Have fun with it. It is a perfect mechanism for running competitions and getting messages across in cartoons or videos. Your end users will always let you know what they like to see.

In the follow on post next week I will describe the aforementioned ‘Yamjams’ in more detail including all the things you’d need to consider before running such a session. If you think this is something which your organisation could use to promote your messages on internal social media then watch out for the next installment.

BIO: John Haren is the Head of Information Security Governance, Risk & Compliance at Diageo and has responsibility for the company’s Security Awareness program.