When Does Awareness Become the New \"SPAM\"?

[Editor's Note: This blog is from Tim Harwood at British Petroleum, an organization with 98,000 people, and is part of a new series where we get insight from other security awareness professionals.  Every organization and their security awareness program is different.  As such, every organization has a different story to tell and different lessons learned to share.  This is one of those stories.] It is often said that security is just another element of the ‘horizontal rain’ that gets in the way of the business actually doing its job! Not my opinion, of course, and I am sure that if we removed all security safeguards then there would be a huge furore as the business ceased to function within minutes. But how do you strike that balance of ‘just enough’ as opposed to ‘overkill’ and still get the business to understand the ‘why’? As is covered by the SANS MGT433 security awareness course, one of the most important elements is getting that essential buy-in from a recognised person high enough ‘up the tree’ to be taken note of. But that doesn’t mean that the business will actually do what is required, does it? The important thing to ensure that the buy-in cascades down that same tree so that all of the business elements understand that they have a part to play - after all, if they don’t and the business ceases to operate, they all lose their jobs and income!! That’s perhaps the best incentive in the world, isn’t it? Therefore, gauging that lower level buy-in so that it becomes a) comprehension of what you are trying to achieve (i.e. keeping them operating and in a job) and b) what their part in the whole campaign is, is just as vital as any other part of the campaign. Once that is achieved and they begin to implement the campaign elements then you know that you have achieved stage 1. Top tip - utilise what is already in place. We have created a ‘Security Awareness Champions Network’ from the local safety reps in each business unit which gives us a person on each site who delivers/cascade the material (in the local language where required). Regular champion meetings/calls are held where the next campaign is rolled out to them prior to launching to the business. The next bit is to make sure the business actually implements it into the way they work, so that it becomes normal routine of ‘… actually doing their job’. That is when you know you have won that tiny part of the battle and you can move onto the next campaign. But, as we have found out to our cost initially, don’t try and do too much too soon. Otherwise you will lose all that hard won ground and the business just reverts to ‘oh, it’s another message from security - straight into the Junk message folder’ and then you have to start all over again….. Top tip - use the champions (or local security-friendly staff) to ‘sense check’ awareness material. We recently had to alter a caption to an image because it had a reference to gambling which wouldn’t be accepted in certain parts of the globe. And that is where this group comes into its own. The beauty of this forum is that we are all trying to achieve the same thing. The help that is out there has been great and it is good to know that I can ask ‘has anyone done this before?’ Generally, the answer is ‘Yes’ and that’s when you can start to step out of the horizontal rain and into being a trusted partner. BIO:  Tim Harwood, M Inst ISP, is the Security Capability Lead at BP plc where he has been for the last 7 years. Tim came into the IS industry late after a full career in the British Armed Forces and has spent the last three years designing and implementing a talent management system and skills and development framework for the security professionals within the company. In addition, he is responsible for the security training for the rest of the business. Tim is a member of the UK Cyber Security Advisory Group which is responsible for the cyber security education and learning paths for the next generation of UK schoolchildren. Although now 50, he juggles all of this with the added responsibility of a recently adopted 2 year old - no mean feat!!