Branding security awareness
I find brands fascinating. We are immersed in a heavily branded world, surrounded and constantly bombarded by brands. They are thrust at us through advertisements and emblazoned on product packaging. Many are really quite crude and obvious - childish graphical logos in bright primary colors, simplistic tag lines, annoying jingles and endless endless repetitition. Others are far more subtle and sophisticated. The very best take subtlety to the point that we no longer appreciate we are being coerced, be we are, oh yes we are.
Brands go well beyond the logos, jingles and taglines, taking in very diffuse perceptions about the organizations and their products in general - myriad aspects such as quality, price, reliability, innovation and, most of all, trustworthiness. Most of us are loyal to certain brands while avoiding others (brands can be liabilities as well as assets), spreading branding's influence into the social sphere as we demonstrate and discuss our preferences with friends. We even delude ourselves, quietly accepting and downplaying faults with our favorite branded products and yet pointing out even small flaws in hated brands. The prejudices run deep.
Notwithstanding that comment about liabilities, brands are extremely valuable for organizations, and not just in the commercial sphere: take any political party, for instance, or politician. Well OK there is of course a financial undercurrent but public perceptions and trust are crucial to being (re-)elected. Same thing with sports teams, even religions. Corporate departments and functions also have brands though they are seldom deliberately managed. Individuals have brands too - think of, say, Richard Branson, Kim Kardashian or Donald Trump. Regardless of what you personally make of them, merely mentioning certain well-known names without any context instantly conjures up a cloud of perceptions, beliefs and expectations, some of which have almost certainly been deliberately fabricated or manipulated by those people plus their allies and opponents. The investment is huge.
So, how does all that relate to security awareness?
The obvious place to start is the dreaded logo. Awareness programs normally have some sort of logo - often, it has to be said, lame ones involving padlocks, chains and binary numbers. With a bit of thought and effort, we can do much better than that, in fact a challenge or contest to come up with a decent logo is itself a valuable awareness activity - something we probably ought to do to update the rather drab and lifeless ISO27001security.com logo!
But hang on a moment, what is the logo meant to express? What are the perceptions and values we'd like to associate with the awareness program? If we leap right in with a logo, we've missed out a crucial step. As I said earlier, there's more to branding, more to consider, more to plan.
It's worth spending quality time with marketing professionals to explore and understand the entire package before designing the packaging.
Creativity can be stimulated through various activities, techniques and approaches, especially if there are naturally creative people on the team or co-opted to it - and by the way, 'the team' is itself a valuable concept in the context of security awareness. Who is or is not on the team? What draws them to want to belong and hopefully participate? Who are the opposing teams? What are the team colors? When do they get together to wave their flags, chant the team chant and hopefully celebrate success on the field? What is success, in fact? What does it look like? How does it make you feel?
That brings us to those tag lines supporting and giving meaning to your logo. If you had to sum up information risk and security (or whatever) in a short, memorable, meaningful phrase, what are the fewest, most expressive words you can come up with? Shortlisting and deciding between your tags is another part of the branding process, another opportunity to get creative and solicit inputs from other parties. Does "cybersecurity" do it for you? How about "protecting and exploiting information" or "safety and security"? Are we focused on locking things down to prevent the badness, or setting things free to release the goodness? The subtleties of our field are worth exploring, within your organization and its culture - which is yet another angle to this, along with maturity since culture is both an emergent and an evolving concept.
Hopefully I've got you thinking so I'll stop here and return to the day-job, but there's much more to say and I'm sure I'll come back to this later. Meanwhile, the comments are open. I'm dying to learn new tricks. Go ahead, make my day (now that's a tag line!).