7 steps to market information security to employees [UPDATED]



An effective way to raise awareness of information security is to treat it as a marketing activity, promoting and selling information security to employees.
I'm not going to give you a lesson in marketing in the blog, but I will hint at how to apply some of the concepts through a sequence of 7 basic steps.
  1. Identify and understand your customers i.e. the people who, you believe, need to be more 'security aware', plus the stakeholders in the awareness program, and not least your team. It is all too easy to skip this step, but take a moment to figure out who the awareness program is intended to reach, who this will satisfy, and who should be involved, and start  thinking about what they might need.  Even better, go ask them!

  2. Segment the customers. As you drill into the details in step 1, you will soon discover that you are not dealing with a single, homogeneous audience. Different audience groups or types will emerge, with distinct information security awareness needs. An effective awareness program gets up close and personal. Call it 'divide and conquer' if you will.

  3. Clarify customer requirements. From the perspective of the awareness audience and the stakeholders in the awareness program, what are they expecting to gain out of the program?  Are you seriously just expecting people to be more aware, or are you in fact hoping that they will behave more securely, avoid insecure activities, 'do the right thing', take security into account when making decisions etc.?  The requirements will ultimately be fleshed-out into learning objectives associated with each awareness activity. They will also inform the selection of sensible metrics (step 7).

  4. Design your brand and product. A brand is a set of emotions, values, impressions, expectations and so forth that audiences will come to associate with information security. Designing the brand is important because it crystallizes the high level objectives for the awareness program. It leads into designing your product.  Appreciating the ways in which information security will benefit the audiences (both personally and the organization that employs them) will pay dividends later on.

  5. Plan the promotional campaign to promote and sell the product. Each activity or event is a piece of a bigger puzzle, so it helps immensely to start with 'the picture on the box'. Don't expect to achieve much with a single/one-off event, no matter how impressive it may be. To achieve a lasting level of security awareness requires sustained effort over the long term. This is where you determine the learning objectives for each part of the campaign, as well as designing specific events or activities.

  6. Develop/obtain and deliver the product. Each awareness activity needs supporting and learning materials. There is definitely an art to creating good awareness content: it has to be interesting, informative, engaging and motivational. It has to hook members of the intended audience, catch their attention, make them think, and most of all influence the way they behave in future. If you have the time and the skills, by all means do it yourself. If not, you will need to find partners for this, whether in-house experts or commercial vendors.

  7. Manage, measure and mature. It is virtually impossible to develop meaningful metrics unless you understand what you are trying to achieve. What is the end goal?  What outcomes are and are not desired?  Understanding this is key to selecting/designing sensible ways of measuring progress, and measuring sensibly is key to managing the program and making systematic improvements. Step 7 links strongly to several previous steps, meaning that the awareness program will inevitably evolve. Lather, rinse, repeat.
Any marketing and training professional should recognize these steps, which hints at one final Hinson tip. Work with your colleagues in Marketing and HR/Training to plan, develop, deliver and improve the awareness program. While you're at it, find friends in other places - managers who appreciate the potential, staff who are keen to get involved, Compliance, Risk Managers and Auditors who have a stake in the program's success ... Security awareness, like information security as a whole, is a team sport. You may be the star player or the manager, but for ultimate glory you need to build and motivate a solid team that works exceptionally well. Good luck!

PS  Aside from any good marketing textbook (such as this one), I unreservedly recommend Rebecca Herold's "Managing an Information Security and Privacy Awareness and Training Program".