In an interview with SecurityVibes, James Gay had this to say,

“If the security is getting in the way of the job then there is something wrong with the security. Security is meant to complement a procedure or process. If a process is wrong and security gets in the way then you really need to look at the process. You’ll never have good security if the process is having to work around the security. Awareness training is making someone feel empowered but also as part of the solution not as part of the problem.”

Employees Need to Feel That They are the Solution
James explained that although part of the quote was said tongue in cheek, ultimately security awareness training should be looking at making users feel like important parts of the organisation’s defence system. If it doesn’t or if a process makes a user feel inadequate or the user needs to circumvent the security to get things done more efficiently then there is something wrong with the security.

Barclays Bank’s Time to Tell Video helps to emphasise James’ message. In the one minute story an employee working late at night is asked to compromise an aspect of the system. We won’t spoil the ending but it gets the message to Barclays’ employees about how important they are in protecting the Bank.

Lesson: The awareness program should emphasise the importance of the employee in all security matters.

Meet The People
An off the record comment from a CISO was that many awareness plans fail as they are purely e-learning or CBT based. Meeting the people builds on the WIIFM and importance lessons previous described. Awareness components such as e-learning and CBT on their own are considered to be laborious and “for the company” if given out on their own. Face to face feedback has more of an ambassadorial feel and people are more likely to say how they feel than an on-line feedback form.

Identify Audience and Awareness Messages
Identify the audience and the awareness messages early for the different communications channels that they will be sent on as discussed in Part One. Awareness messages can be identified by asking open questions to managers and employees such as “What do you think are the greatest risks in your area?” rather than right/wrong yes/no questions. Know your constraints and when planning always be ready to answer “Why Should People Do This?” These messages need to be precise instead of abstract.

Lesson: Know the precise messages that need to be communicated and
A Tip: Don’t Over Do It – be careful what people can absorb

Teething Challenges
One organisation had unexpected bandwidth issues with the e-learning component of their awareness program, another with production time, and another with the amount of information presented, another with culture - unexpected hiccups will always occur in any project of this nature and companies were advised to be able to be flexible enough to evolve their plans as situations and technical emergencies occur.

Lesson: It is hard to imagine what could possibly go wrong in any awareness programme but just in case there should always be some type of contingency planned.

Get Outside Help
Security professionals are not normally used to creating and marketing communication programs. We all have our niche areas, be they windows technology, Open source, database, risk, auditing or board level communication of technological areas. An awareness campaign contains many different types of elements and will need help from marketing, training, administration, HR, and of course tips from CISOs who’ve done it before.

Summary
There were many, many more tips from CISOs shared at the ENISA event. Many of the main ones have been covered in this and the previous article. However the difficult part is thinking of the resources that can be used in on-going (ie 3-5 year campaigns). One final tip from many of the CISOs present was where-ever possible re-use what is already available in the company and on the internet. Over the next few weeks SecurityVibes will be looking into some of the best resources (predominantly videos) available on the web that could possibly be used as a part of an awareness campaign.

References
SecurityVibes Article: Security Awareness Initiatives Top Lessons Learned from CISOs Part One
SecurityVibes Podcast: James Gay, CISO for Travelex on Educating Staff
Barclays Awareness Video: A Time To Tell
ENISA Videos
ENISA Posters