security awareness and cultural change “…from bad apples to good eggs…” martin smith mbe...

Post on 15-Jan-2016

215 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Security awareness and cultural change

“…from bad apples to good eggs…”

Martin Smith MBE FSyI

Chairman and Founder

The Security Company (International) LtdThe Security Awareness Special Interest Group

There is an enormous willingness amongst workforces to follow good practice. No employee wants to be the one who lets down the team, or causes their organization to appear in the Press as the latest to suffer a data security breach or online fraud.

The vast majority of any workforce is intelligent, honest, hardworking and sensible. Our employees resent being given responsibility for compliance without sensible help or advice to go with it.

To win their support, we just need to tell them what it is we want them to do in language they can understand, describe in simple terms how we want them to do it, and explain to them the benefits of compliance - “What’s in it for me?”

• We have more than enough rules already – let’s just start explaining them properly to everyone.

People want to learn…

Inspire, Engage, Protect.

Tackle security awareness by adopting a strategic, long-term approach aligned to your business objectivesEducate, engage and empower your employees so they understand why security is important and thus change their behaviour. Define measurable targets, agreed at the outset, to demonstrate Return On Investment (ROI).

An approach…

Inspire, Engage, Protect.

The Security Awareness Special Interest Group

Inspire, Engage, Protect.

Creating a culture alert to security threats and empowering employees to be secure will not happen overnight. An integrated and sustainable approach is the only way that you will succeed.

A security awareness maturity model will establish the current level of security behaviour within your organisation. Based on your security objectives and organisational requirements you will then progress through each stage of the maturity model as far as you wish.

How security savvy is your organisation?

Inspire, Engage, Protect.

We believe a successful awareness programme should:

Inspire your workforce to create a culture alert to security risks. Engage and empower your workforce to behave securely through creative

campaigns. Protect your organisation’s assets with a long-term, strategic approach to

security awareness.

 You should aim to successfully take your employees from being unaware of their information security responsibilities; to being aware of them; to committing to your security principles and demonstrating the desired behaviours.

Inspire, engage and protect

Inspire, Engage, Protect.

Raising the level of commitment to Security Awareness

Phase VI: Report, review, amend

Phase V: Training & assessment programmes

Phase IV: Get their attention – Create Campaign Awareness

Phase III: Create Knowledge Zone (website) & Training modules

Phase II: Develop a Comms Strategy & Measurement Dashboard

Phase I: Evaluate Needs & Priorities

Inspire, Engage, Protect.

Most people want to do the right thing

Tell your employees what’s in it for them

Keep it simple

Your employees want to learn…

Inspire, Engage, Protect.

Behaviour cannot be changed by training alone…

Inspire, Engage, Protect.

People need to be aware of why something is important before they will do anything differently

Getting their attention

Inspire, Engage, Protect.

Communication should be a two way dialogue Embed key messages using regular reminders

Change employee behaviour in the long term, not just apply a 'quick fix' solution

Sustaining awareness

Inspire, Engage, Protect.

The awareness model simplified

Road Signs

Highway Code

Road Traffic Act

Scoping Workshop

Inspire, Engage, Protect.

Case Study – Global Security Communications Strategy Workshop

There are three main audiences for our security and fraud prevention awareness campaign:

• Our in-house security community (“specialists”)

• Our workforce (including the extended 3rd party enterprise)

• Our customers

All aspects of security and fraud prevention must be addressed

The organisation must be clear about what it is asking its people to do.

Scoping Workshop

Inspire, Engage, Protect.

There must be one consistent set of important messages for all business areas that are easy to remember, understand and achieve.

But then, messages should be tailored for each audience for relevance and context.

The processes and technology which support the key security and fraud prevention messages must be easy to find, understand and use.

The consequences of security behaviour should be rooted within the organisation’s reward and discipline policy.

Inspire, Engage, Protect.

“Problems are never solved at the same level of awareness that created them…”

Albert Einstein

Inspire, Engage, Protect.

“Insanity is the repetition of something over and over again, believing that the outcome will eventually change…”

Albert Einstein

Awareness is the oil…

The human factor is the final part of the jigsaw, the key to better security and fraud prevention. Good communication is the vital oil that will make our security management and fraud prevention systems run smoothly.

If you wish to know more...

Martin Smithmartin@thesecurityco.com

+44 1234 708456www.thesasig.com

top related