Skunkworks & 7 other awareness strategies

Over the weekend, I've been mulling over the issue I raised at the end of last week about how to get management fully behind the security awareness and training efforts. I've come up with several possible strategies.

A skunkworks approach is one possibility.
"The designation 'skunk works' or 'skunkworks' is widely used in business, engineering, and technical fields to describe a group within an organization given a high degree of autonomy and unhampered by bureaucracy, with the task of working on advanced or secret projects."

The idea is to assemble a small close-knit group of like-minded colleagues to work informally ('unhampered by bureaucracy') on management's awareness, specifically, with the aim of formally proposing an organization-wide security awareness and training program once management's interest has been piqued. Being a small team with a narrowly-defined purpose, the work can probably be done without dedicated resources, with no need for a project team and budget, or even timescale as such. The interest-piquing initial management awareness part can usefully take place in parallel with drafting the formal proposal, saving elapsed time and hopefully ensuring that the proposal aligns with management's evolving perspective. [Hinson tip: it would help if one or two friendly senior managers were brought in on the cunning plan early-on, though, to smooth the way once the strategy comes into view. Most of all, it would need at least one passionate leader, someone with the enthusiasm and energy to fire it up, get it rolling and keep it going for as long as it takes.]

Aside from skunkworks, there are at least 7 other strategies ...


#1 A risky, almost Machiavellian strategy is to engineer a crisis in which unawareness plays a crucial part, more likely seizing upon an opportunity such as an information security incident or an impending compliance deadline (such as May 25th ...) to catch management's attention first, softening them up for the follow-through "What we need right now is {ta-daaaaah} a Security Awareness and Training Program, just like this!". [Hinson tip: suggesting that awareness is The Ultimate Answer To Everything would be unwise but I'm convinced it is a valuable, or rather necessary part of the grand solution. It's hard to imagine anyone seriously suggesting that awareness is unnecessary, let alone detrimental.]

#2 Compliance is a strong driver. Scan applicable laws, regulations, contractual commitments etc. for any obligatory/mandatory requirements to run security awareness and training, plus any recommended/advisory suggestions or other hints that doing so might be A Jolly Good Idea. It's worth systematically assessing internal requirements too, such as corporate policies: aside from any specific mention of security awareness [Hinson tip: ... which the canny CISO or ISM will have previously slipped quietly into the security policies], there's an obvious need to make people aware of the policies if they are expected to know about and comply with them. Security standards such as the ISO27k and NIST SP800 series are further sources of advice, along with PCI-DSS, COBIT and others, although those are aimed at information security pros rather than general management, so would need to be interpreted somewhat to draw out the business advantages ...

#3 ... which leads to another approach: position security awareness as a tool supporting information risk management, information security, compliance, governance, privacy, safety, assurance And All That - or, even stronger still, as a business enabler. Given the choice, this is my preferred approach, directly supporting the idea that information security isn't just something that ought to be done because somebody says so: it is necessary for business reasons, and commercially valuable in its own right. [Hinson tip: it helps of course if management is already sold on the need for information risk management, preferably a structured, comprehensive approach. If they are not, we're heading back to square 1 and the conundrum I raised last week: to get awareness, first we need awareness. The difference here is that although management may not initially be keen on security awareness, hopefully they appreciate the need for information security, if only grudgingly for compliance reasons.]

#4 A related suggestion is to integrate security awareness with other planned business and security initiatives - not just tacked casually on the side as an optional extra (where it is vulnerable to being chopped at the outset, or later on when the going gets tough) but as a necessary core activity, an essential or fundamental part. This is easiest with information security projects, naturally, and not too hard with most IT- and information-related business change projects (e.g. all things cloudy). It takes more creativity, effort and care, though, to position security awareness as an integral part of other business activities, with rapidly diminishing returns, aside perhaps from hooking up with other forms of awareness and training (e.g. health and safety). Again there are risks here in pushing too hard. If management consciously chops out or cuts down on security awareness, it's going to be harder to get them back behind it later on, at least not until they've forgotten what they did! If you ever get to the point of someone saying "Oh not, not that bloody awareness stuff again! Give it a rest!" you'll know you've gone way too far. [Hinson tip: if the awareness stuff is robustly blocked, try to get the blockers to acknowledge that its is 'not appropriate right now' rather than accepting a flat-out "No!", preferably in writing even if YOU have to write it! Leave the door open for a later approach, when the time is ripe. Strategy is a long-term game, so think things through and keep on stacking the deck in your favor. Your time will come, glasshopper.] 

#5 Divide and conquer involves putting effort into persuading specific senior managers, individually at first, of the value of security awareness, then working with them on a plan to convince their peers. As individuals are persuaded, put them in touch with each other. Using management's power and comms structure requires political acumen and drive, which is why I suggest singling-out and collaborating with friendly senior managers: they should know how stuff gets done, and hopefully how to avoid the potholes and barriers that those lower in the pecking order may not even appreciate. They are also a relatively soft-sell: if you can't convince them that awareness is worth doing, what are your chances of persuading the rest of management? [Hinson tip: watch out for those hot buttons - things that catch their imagination, spark genuine interest and hence show real promise. Emphasizing them in subsequent comms makes a lot of sense, perhaps to the point of building proposals around them.]

#6 If the previous strategies seem too much like hard work, here is a low effort low impact approach. Let your awareness and training activities evolve naturally, growing gradually from whatever you are doing already. This is a long, slow, plodding method, but that doesn't automatically discount it. This is the default approach, the straw-man against which to compare the other strategies. [Hinson tip: for more traction, it's possible to accelerate the rate of change using metrics - particularly my favorite, maturity metrics. Measure the current awareness and training activities relative to accepted good practices*, both to define the starting point and to drive improvements. Once things start working more effectively and efficiently, the metrics will demonstrate progress, which in turn encourages more effort - a positive feedback loop that you can use to your advantage. Obvious when you think about it, or when you stumble across it on some random blog ...] 

#7 'Some random blog' brings me to my final strategy: proactively use social networks and social media for security awareness purposes. Email this blog's URL to your colleagues to pump-prime the discussions about strategies that might be worth pursuing. Set up a 'friends of infosec' mailing list or group at work to drip-feed and discuss relevant news, gently and repeatedly reminding people of the value of security awareness, in the sense of spotting emerging risks and avoiding nasty surprises. Publish relevant clips and links to awareness stuff on information security's intranet Security Zone. Mention security awareness in responses and comments to other people's blogs, emails and assorted corridor-comms at work. Drop it casually into your progress reports and management updates. Mention it to your esteemed colleagues from Risk, Privacy, Compliance and Audit over coffee, lunch or beer. Pop it in your newsletters. Be enthusiastic or evangelical like me, hopefully not boring and obnoxious through. [Hinson tip: bring this up in your blog, too. I've scratched your back ...].

* Get in touch for help with that. Awareness metrics are right up my street.