Making an impact
For an infosec pro, "impact" is a bad thing, the adverse consequences of an incident, but it has another meaning. If your security policies, standards, procedures and guidelines make a positive impact on the readers, they are more likely to change their ways - and vice versa.
Nice in theory, but how do you actually achieve that? Well, it helps to figure out a few things:
- Who are your audiences? Who is it that you are trying to influence? If you can break your audience down from an amorphous blob labeled "employees" or "users" to more specific groups or types of people, you will find that they have different information needs and perspectives on information security. Salesmen, for instance, live and breathe sales and marketing. Their heads are mostly on prospects and customers, plus products and the sales process (and, of course, their commission). Most are not exactly keen to read a boring information security newsletter, or a tedious procedure for requesting access to a system, or whatever. How are you going to catch their attention? [Hint: things that affect brands and sales, and anything that affects their commission, are very much in their line-of-sight!]
- What is it that you are trying to put across, exactly? Trust me, it's easy to blabber on about information security in general, hand-waving terms, but takes a bit more effort to home-in on specific issues, particular messages. You need to research the topic, break down the risks, find angles that are relevant and important enough to warrant being communicated to people busy doing other stuff. If appropriate, pick-up on breaches that have affected the organization. Failing that, incidents affecting neighbors and peers, and near-misses. The aim is to motivate your audiences by impressing on them that "It could have been me", in other words information security is not just a theoretical concern but something worth taking seriously and actively.
- When you say you want them to 'change their ways', what do you mean? What is the nature of the change/s? Are we talking about a slight adjustment, a tweak, evolution or revolution? Is the desired change entirely within the domain of the individuals, or is it a group-wide or cultural thing, taking in aspects such as social relationships and power as well as the people themselves? A wonderful way to think this though is to ask yourself what differences you expect to see if the change is 100% successful, contrasting that against the 100% unsuccessful case, which naturally suggests ways to measure the effects i.e. metrics.
- What's in it for them? This is hard. It's all very well telling people they ought to care about information, risk, protection, privacy and compliance, but that's our imperative, it's what drives us as infosec pros. How are we going to make it theirs? How do we get them to internalize and own the problem? We use take one of two lines: we emphasize the benefits either to the organization or to the individual. In fact, even the organizational benefits tend to be couched in terms that hint at self-interest, for instance a healthy, profitable, vibrant organization is going to be a happier, more exciting and promising place to work. If your default approach is to warn people about the penalties and dire consequences of not doing things right, perhaps you ought to re-think things. Enforcement is a necessary part of achieving compliance but is not the most effective. It's too negative. How about some carrot to go with, or instead of, the stick?
- How are you going to put the message/s across? Reviewing the answers to the previous questions generally reveals that you have a diversity of messages and audiences with differing needs, so good luck if you are putting all your eggs in one basket. I'm not just talking here about using a single communications vehicle such as a newsletter, poster or intranet site, but also a single mode of communications such as the written word. Some of us love reading and writing, some of us think in pictures, others like to be told or shown things, and some need to experience things for themselves. Like the carrot-and-stick image above, your security awareness poster or infographic, for all its striking graphic imagery, bright color and well-meaning advice, is not going to have the same impact on everyone. Some will love it and take it to heart, others may barely give it a second glance. The poster has value as part of a coherent communications approach, not the whole.
Contact me for more along these lines, either by email or through the comments. There's lots more to say!