Proceed with caution
Using the Information Security 101 theme I mentioned on Feb 14th, I'm close to finishing the first set of presentation slides with a preponderance of yellow and black.
Through a carefully chosen sequence of bright, clear images, no bullet points and very few written words, the slides tell a visual story based around risk. The core message is that information security is less a case of stopping the business from doing things, than of being vigilant. 'Proceed with caution' sums it up nicely.
Given the elegance, simplicity and power of those 3 words, I'm not sure whether to elaborate on information risk and information security at all, in fact. I guess we'll mention a few current current threats, some recent incidents and typical controls in the speaker notes but I rather like the idea of leaving it up to the presenter/trainer to decide how to play things at run-time - during the induction courses and awareness program launch sessions for which the 101 module is destined. Some audiences will get it, effortlessly, while others might need a bit more of a steer, more of a clue about the point we're expressing here.
I've blogged before about my strong preference for images over written words on training course and seminar slides. The audience should focus their energies on understanding what the present/trainer is putting across, rather than reading the words on the screen, and is there anything more sleep-inducing than an inept and often nervous presenter literally reading aloud his own slides, often great blocks of text in a dreadful monotone?
It's not exactly death by PowerPoint, but close. "Take it easy, relax. Your eyelids feel heavy ..."
The answer is glaringly obvious: swap the written words for diagrams and images.
Visual impact is doubly important for induction courses since inductees are often assaulted by an avalanche of new information. There's a lot to take in - not just from the slides and maybe handouts but from the speakers/trainers too, plus their new colleagues. If our Information Security 101 materials add to, rather than slicing through, the information fog, we're squandering a golden opportunity.
This is one of those situations where less is more, so I'm already de-wording, cutting slides and trimming/simplifying/refining the content. When it comes down to it, there are only a few things we really need to say, so I propose to focus sharply on those in a short presentation, leaving a good chunk of the allotted time for the presenter/trainer to interact with the audience in one or more live segments during the course of the presentation and either side of it.
There's only so much we can do to support the live segments. The slides and speaker notes are prompts, and as usual we'll be providing a stack of tips in the train-the-trainer guide in the awareness module - like for instance treating the induction sessions as a valuable opportunity for Information Security to meet and connect individually one-on-one with new starters - putting faces to names.
Since induction sessions run frequently (in mid to large organizations at least), we'll encourage the presenters/trainers to bring up in the live segments whatever infosec-related issues happen to be topical that very day. I have in mind:
- Recent/ongoing privacy breaches and other significant infosec incidents from the news (international, national or local);
- Emerging threats and other concerns drawn from recent security alerts, briefings and so on;
- Hot topics within the organization - current risk and security focus areas, major projects, business initiatives etc.;
- Hot topics and concerns from the audience: what would they like to discuss?
- Any interesting security metrics (yes, although rare, they do exist!);
- Hot topics within the profession - nothing too involved, just a glimpse of the challenges we face in adopting novel security technologies and techniques;
- New InfoSec policies, new standards, new courses, new security survey reports, new people, new controls ... new anything really. It would be cool if inductees joined their departments with tidbits of new knowledge to impart to their new colleagues - something to talk about anyway, and it's all part of socialising security awareness.
And that reminds me: repeated induction sessions mean plenty of chances for the trainers/presenters to practice and refine their techniques, gradually gaining confidence and experience. Personally, I'm cynical about those tedious post-session feedback sheets as a means of gathering audience feedback and scores, compared to the presenter/trainer simply taking a moment to consider their own performance and figure out for themselves what went well, or not. Being alert for audience reactions during the sessions forces the presenter/trainer to maintain eye contact throughout - which is definitely A Good Thing. On top of that, there's nothing to stop someone calling on inductees a short while after to ask them how the induction session went.