Creative approaches to information security induction/orientation

This morning, my beady eye has been caught by an excellent Harvard Business Review article from 2007 about creative approaches to new employee orientation/induction. In particular, I was struck by this:

"New employees go through an exhausting three-month immersion process, a sort of organizational boot camp, in which top management, including the CEO, oversees their every step. In the first month, new recruits participate in fast-paced creative projects, in teams of about 20, under the mentorship of more-experienced colleagues called section leaders. In the second month, the project teams are shuffled and split into smaller “breakthrough teams” charged with inventing product or service ideas, creating business models, building prototypes, and developing marketing plans—all in hyperaccelerated fashion. In the third month, the recruits have to demonstrate their capacity for personal initiative. Some continue working on their breakthrough teams; others find sponsors elsewhere in the company and work on their projects. Upon completion of the program, candidates undergo rigorous evaluation and receive detailed feedback on their performance from colleagues, section leaders, and senior management. The new hires are sent to different parts of the organization, but the bonds they develop during this extreme orientation period remain strong throughout their careers."

Regretfully I've never worked in or with an organization that invested anything like as much in new starters: such approaches are rare in my experience. Mostly, joiners are subjected to a rather tedious series of lectures about policies and procedures, often presented by bored employees who would plainly rather be somewhere else. It's a rite of passage, a compliance formality with all that implies. Such a shame.

Nevertheless, security orientation/induction presents opportunities along similar lines, albeit within the narrower confines of information security. For example, we encourage our clients' information security and physical/site security people to get actively engaged in employee security orientation sessions, as opposed to expecting someone from HR, IT or Training to deliver them on their behalf. The key reason is that this is the first proper opportunity to build personal relationships with the new arrivals - to impress on them the value of information security and the importance of their role as integral components of the Information Security Management System.  From the other perspective, it's also a chance to 'put a face to the name' so that when an employee comes across a security issue or query, they are more inclined to call it in.

Personally, I don't think it unreasonable to expect the Information Security Manager and other members of the department (such as the Security Admin or Help Desk people) to deliver general employee security induction sessions in person. I appreciate that they are busy people so it comes down to a matter of priorities and making efficient use of their valuable time. Making sure the security induction session is focused and slick using professionally-crafted security awareness/training materials will help maximize the impact for minimum effort, time and outlay.

When it comes to security induction for new managers, it makes even more sense for the ISM or CISO to get directly involved. Rather than the usual group induction sessions, we recommend organizing one-on-one briefings with managers, either in the office or (discreetly) in a cafe or restaurant - a chance for a bit of a chat if not a full and frank exchange of views. It's an excellent opportunity to establish mutual understanding and respect with a huge payoff in terms of management support for information security and information security support for the business (both invaluable!). Bring managers quickly up to speed on the information risk and security objectives, strategies policies and metrics, and discover how information security can facilitate the business. It's a win-win.