A big win for security awareness

Working on the management seminar slide-deck over the past couple of days, we've developed and documented a coherent five-part strategy for improving both the speed and the accuracy of incident reporting.

The strategy mostly involves changing the motivations and behaviors of both staff and management, possibly with some IT systems and metrics changes where appropriate to support the objectives.

Elaborating on the background and those objectives explains what the strategy is intended to achieve: the slides and notes justify the approach in business terms, in effect outlining a business case. It's generic, of course, but providing it in the form of a management seminar plus supporting notes and briefings encouragescustomers to engage their managers in a discussion around the proposal, hopefully leading to consensus and agreement to proceed, one way or another.

The nice thing about this is that it can't really fail: the very act of management considering and discussing the proposal itself drives the improvements we are suggesting in a general manner, even if the decision is made not to proceed with the specific changes proposed. If the response from management is more favorable, the outcome will no doubt be some version of the strategy customized to suit the specific organizational context and needs, plus management's commitment to see it through.

Either way, that's a win for security awareness!