by Tanya Heffel. Tanya has nearly 20 years of hands-on experience in a variety of highly competitive industries and fast-paced environments including the Federal Government. As an innovative technical/operations leader with experience in managing teams to new levels of achievement, Ms. Heffel has specific expertise in strategic planning, business unit development, project management, and system engineering strategies. She has a proven ability to thoughtfully analyze an organization’s requirements, identify deficiencies and potential opportunities, and develop innovative and cost-effective solutions for enhancing competitiveness and improving customer service offerings.
So many of today’s headlines talk of security breaches, most recently the Federal Government experienced one of its largest breaches to date with the theft of billions of personal records for employees, contractors, etc. At the core of most of these incidents, is a lack of education and awareness within the teams that support and administer the systems as well as the user community. Developing a Security education program is an ever-evolving and changing aspect of an organization’s overall Security methodology. You cannot just train once and forget about it, most security compliancy and governances mandate, at a minimum, a yearly training targeted at your employees, users and pretty much anyone that has anything to do with your organization. From the receptionist all the way to the CEO, no one is exempt. Everyone has an important part to play.
Putting together a Security Program takes time, money and most importantly energy. Lack of a formal program is noted as the number one deficiency in most organizations and consistently has been the primary reason most breeches and subsequent damages are occurring.
The first steps in developing a Security Program is the content, which is predominantly composed of corporate policies and procedures, the security compliancy program your organization is subscribed to and the overall governances that the organization must adhere to. Your program content doesn’t have to be a book that reads like stereo instructions. Research has shown that a clearly articulated and targeted presentation, no more than 30 minutes and about 20 slides is enough to relay the necessary components, while still keeping the audience engaged and active.
With content in check, what is next? What and how do you get this information to your community? Creating effective resources and using multiple delivery methods is key. Some ideas that can be used depending on the size of your organization are:
• In Person: Presentations, Meetings, Brown Bag Lunch Sessions and even one-on-one discussions are all effective tools for delivery
• Documents & Repositories: Handbooks, policies and procedures, links to reference materials should be easily referenceable on internal websites, intranets and employee collaboration tools. Use on-line quizzes and reference materials, cheat sheets and “security for dummies” type of information as well as post security awareness posters around your office
• Security Engagement Communications: Send alerts, online quizzes, links to targeted publications, relevant blogs and articles
• Events: Security conferences, seminars and workshops
Content resources and delivery methods focus on communication. Let’s face it, no one wants to hear the word Security, let alone see “security monitors” coming up behind them in the hall to discuss Security. It’s the “white elephant in the room”. Communication is key, but Security has to be understandable and relatable. Security departments cannot just sit and wait; they must engage and talk to employees – regularly and consistently. They must provide clear and effective policies, procedures and guidance, then lead by example. Security professionals must target the message to the specific audience at hand and ensure that they are consistent. Reference other experts to fortify your message and present the message of Security in a context that all employees, partners and team members can understand.
This is a continual, ever-evolving process… You will hear me say throughout this multi-part blog:
And when in doubt, REPEAT!