Security awareness is critical to maintaining enterprise security, but how can you effectively develop it within an organisation? Senior executives from the Commonwealth Bank, Australia Post, BUPA Australia and the NSW Fire Brigade shared their strategies at the recent Gartner Security Summit in Sydney.
Communicating security policy across an organisation is often challenging. One central message from IT security managers is that this can't be approached as a monolithic task, and requires involvement from CEO level downwards.
"Promoting security in any organisation is not one persons' job," said John Pane, chief privacy officer for Australia Post. "It's a job for many people and it requires collaboration at high levels." Key stakeholders include IT security management, the privacy officer, the risk officer, and the finance department, Pane suggested. "Getting these people engaged in a dialog about the importance of IT security and communicating that in a meaningful way is very important."
Top-level management support is "fundamental", agreed Commonwealth Bank executive manager for IT security Rob McMillan. "We're quite lucky in that our current management is very supportive of security, because that really sets the tone. If people can see that the senior management is sponsoring the message and lives the message, that's a very powerful tool for communicating to people that this one's important and you're expected to stick to it.
"The flipside of that is that before you go to senior management and say these are the messages we need to put out, you need to make sure you've got the right messages for them,. Those guys can really give you a grilling if you've got it wrong."
While management support is crucial, the means of convincing senior management will often be quite different to the actual messages needed for staff, suppliers or customers. "You often need a security awareness program about the security awareness program," Marcel Sorouni, security manager for BUPA Australia.
Organisational culture can also impact how a message is received. "In the fire brigade environment we are a semi-defender organisation," said Asaf Ahmad, information security manager for the NSW Fire Brigade. "If the management wants to enforce a procedure which is operational, it's like an order. But if it's something to do with usage of IT or a threat which may affect our working, it's not considered really important because, in the end, they risk their lives to save somebody. So they just say 'if the network goes down, bring it up'."
Constructing an effective campaign for a specific audience requires careful planning. "The first thing we do is understand the market we are trying to reach," said CBA's McMillan. "We need to have some consistency in the message, but the important thing is to understand the drivers and the language that our markets will understand.
"Marketing isn't a science, it's an art," said BUPA's Sorouni. "You need to produce a promotional campaign that's exciting and that works. What doesn't work is that disparate, ad hoc awareness view. What you have to do is tie it all in with a plan.
"One size does not fit all," McMillan said. "You can't write a single message and expect that it's going to speak to everybody in that organisation."
But that necessary diversification can itself carry risks. "In taking that alternate approach which is modifying the content of the message -- not the intent or fundamental thrust, but modifying the wording or delivery mechanism -- you're going to find those who aren't necessarily in the target market are going to have an issue with it," McMillan said. "It's very similar to a lot of public service messages we hear. Those sorts of campaigns often have a target market in mind, and the markets that aren't part of the target generate peripheral noise."
One strategy that is often neglected but which can be very effective is making use of internal communications resources. "In a very large organisation what you write can have a significant effect on how people behave, so you've got to choose the thrust of your message and choose your words carefully," said McMillan. "I think sometimes people don't fully appreciate that having a communications professional involved, someone who knows exactly how to use the right words and the right nuance, is important."
"We have a very good communications division, so whenever we have to send something important from a security perspective we really jump on their back," agreed the Fire Brigade's Ahmad.
"Security awareness is no different to creating awareness for any other program," said Australia Post's Pane. "In any large organisation, someone has done something before along the same lines. Identify those people in your business." Other useful targets include human resources and safety divisions
Drawing on a wide range of staff can also help ensure a campaign is structured appropriately. "People don't need to know about the law or the 50 page security policy in detail," said Pane. "What people need to know is behaviours that are acceptable.
"The overriding goal inside my organisation is that we want to help people make smart security decisions," said McMillan. You want to have people understand there's going to be a value proposition for them."
There will always be limitations in any program. "There's only so much you can do to control people," Sorouni said. "You can put automated systems like access control, but there's an awful lot of things people do you can't control."