A universal awareness device
Since the very beginning of our security awareness services back in 2003, one of our regular monthly deliverables was a "board agenda" - a security awareness item aimed at informing and engaging the most senior managers in an organization.
At that stratospheric level, awareness materials need to be both succinct and relevant to stand any hope of being used. Senior managers are extremely busy people.
The board agendas are each just one side of paper if printed, as is usually the case for board papers in their briefing packs. We deliberately avoid jargon and lengthy explanation on the basis that the audience is both busy and competent, generally highly experienced and quick-witted people keen to get straight down to business. The audience isn't expected to know everything, but hopefully they can rely on the support of their trusted networks of peers and direct reports, plus of course the remaining security awareness content provided. Oh and Google, naturally. We'd love them to read and consider these papers ahead of the meeting, but if not they are simple enough to figure out on the fly.
Our awareness papers all fall within the broad area of information risk and security covering the same topic area as the remaining awareness content in the module, reflecting the design goal of encouraging social interaction and discourse throughout the organization. Security awareness is not just something to be aimed at 'users', treating them condescendingly as mere serfs! We're consciously socializing information risk and security, making it an integral part of the corporate culture, top to bottom, side to side.
Given the specific target audience for the papers, relevance is achieved by emphasizing high-level matters that most concern senior management, namely business aspects such as strategy, governance and compliance ... talking of which, we'll be incorporating this colorful diagram into November's board agenda for the privacy awareness module:
The idea is deceptively simple: following an introductory paragraph briefly outlining the topic, senior managers will be invited to consider their positions on privacy compliance, 'make their mark' somewhere appropriate within the triangle, then discuss the topic with their peers at the next meeting.
The red-amber-green triangle is an elaboration on the linear RAG spectrum figures we use routinely - such as this one from the current awareness module on digital forensics:
Either way, this highly visual approach is an excellent means to set people thinking about the topic, expressing their opinions in a manner that encourages open discussion of their respective viewpoints and concerns. For instance, marks close to any apex indicate strongly held opinions, while marks towards the middle suggest indecision or ambiguity. The wording of the triangle's amber corner is intentionally provocative: we'd like those with more specific views to challenge those who put themselves on the fence, as it were, or fail to engage. Managers with something specific to say on this topic have their opportunity to speak up and make their case, while everyone listens and learns - an awareness win, plus a chance for the whole team to review and perhaps refine corporate positions, strategies and policies in this area through discussion and (hopefully!) consensus.
Either way, this highly visual approach is an excellent means to set people thinking about the topic, expressing their opinions in a manner that encourages open discussion of their respective viewpoints and concerns. For instance, marks close to any apex indicate strongly held opinions, while marks towards the middle suggest indecision or ambiguity. The wording of the triangle's amber corner is intentionally provocative: we'd like those with more specific views to challenge those who put themselves on the fence, as it were, or fail to engage. Managers with something specific to say on this topic have their opportunity to speak up and make their case, while everyone listens and learns - an awareness win, plus a chance for the whole team to review and perhaps refine corporate positions, strategies and policies in this area through discussion and (hopefully!) consensus.
In case it's not immediately obvious, the stimulating approach I've developed and described here is broadly applicable, almost universal. Pick virtually any topic (within or without information risk and security) and context (awareness session, training course, workshop, meeting, online collaboration ...) and it shouldn't be hard to come up with options that fall across a range in one or more dimensions. Assemble a group of interested people to consider and discuss the matters at hand, using visual devices along these lines, and Bob's yer uncle.