Security Awareness Programs: Now Hear This!

Awareness programs are the cheapest way to prevent costly problems, but the security message can be easy to ignore. CSOs and CISOs share their strategies for spreading the good word.

Since this magazine's inception, our CSO friends and sources have bemoaned the prevalence, throughout the enterprise, of wrong-headed views on what constitutes an excellent security mission and program. Frequently, the complaints have pointed explicitly to the upper organizational reaches—CEOs, other O's, boards of directors. But the problem of wrong-headed notions about security in general is often acknowledged to be both deep and widespread.

Some years ago, CSO interviewed famously colorful consultant Thornton May (see Why Security Needs to Blow Its Own Horn). May generalized about security executives: "These guys are gifted nonbranders! They couldn't sell water to a man on fire!"

We beg to differ. There is plenty that lies beyond a CSO's direct control. But we are here to tell you this: One thing CSOs do have control over, and accountability for, is the way the security program is perceived and understood within the enterprise. It all boils down to awareness, which is built through patient and relentless education and marketing—yes, marketing—about the importance of security as both the guardian and enabler of core business value.

An aggressive, well-designed and -executed security awareness program can help to transform the business culture, increase overall security program effectiveness and present the "brand" of the security function in a more positive, business-focused light. It can also help the security executive "sell up" to senior management and achieve the elusive goal of tight integration between business strategy and security practice.

CSO and the CSO Executive Council, an affiliated professional group, recently conducted an online survey aimed at gauging the current state and prevalence of awareness programs. Though training is certainly a subset, our survey defined formal security awareness programs as those that go beyond the basic training of newly hired employees to educate them about the organization's policies and procedures. Our definition cast awareness initiatives as more in line with a full and timely security curriculum, delivered to—and sometimes beyond—the enterprise in a variety of ways, and embodying many of the features of a highly effective marketing campaign.

The results of our survey are mainly encouraging, showing that a vast majority of respondents are more than ready to bottle and sell water in the hopes of making combustion of all kinds much less likely.

First, 74 percent of our 168 respondents said they have formal awareness programs in place that are at least one year old, though such programs range in maturity. Of these, 27 percent said they have young programs that are between one and two years old; that was the most popular answer. Of the remaining respondents, 18 percent were planning to launch a program. Only 8 percent did not have plans for an awareness program.