Security Awareness Programs: Now Hear This!

Awareness programs are the cheapest way to prevent costly problems, but the security message can be easy to ignore. CSOs and CISOs share their strategies for spreading the good word.

Existing awareness programs target, in varying degrees, multiple constituencies—from boards of directors to senior executives to rank-and-file employees and even, sometimes, outward to trading partners and customers. Boards of directors (50 mentions) were in nearly a dead heat with vendors (49 mentions) for getting the least awareness attention. Not surprisingly, employees (148 mentions) got the most. Senior management (123), business unit management (114) and CEOs (84) also got plenty of focus.

We also subdivided these audiences into specific functions. Not surprisingly, security, operations, IS/IT, HR and compliance were the top attention getters. Interestingly, among internal constituencies, engineering/manufacturing (68 mentions) and R&D (72 mentions) ranked near the bottom of the list. But the absolute low-vote total went to partners—those outside of the enterprise. (For a look at the value of treating awareness issues beyond your own walls, see "Building Key Alliances," opposite page).

There is recognition that different purposes (and audiences) call for different strategies. Take audiences, for example. Cherry Delaney, who is just launching a cybersecurity awareness initiative at Purdue University (see "Getting Started," Page 34) has identified three core audiences—staff, students and faculty—and has chosen to take them on one at a time (which makes sense because, for now, she's a one-person department). Delaney has plans to exploit the popularity with students of social networking sites like Facebook.com—a venue unlikely to be of much value in reaching staff, whom she is targeting with luncheons, live seminars and intranet-based interactive training.

Besides training (129 mentions), respondents use e-mail and newsletter alerts (119 mentions), slide presentations (103), live events and meetings (94), and the corporate intranet (93). A fun-loving 46 respondents said they use quizzes, games and other reward/recognition ploys to test the effectiveness of awareness messaging (see "Teaching Tangible Lessons," this page). Twenty-three said they hold live events explicitly for the CEO or board of directors.

We asked respondents to rate which areas of the business benefited most from their awareness efforts. By a nearly 2-to-1 margin, respondents cited reductions in operational risk (to employees or the business) over other risk areas such as customers or reputation and corporate or business-unit growth. This seems plausible, since the area of operational risk is perhaps the lowest-hanging fruit for awareness programs, the place where CSOs can most easily demonstrate benefits.

It is reasonable to infer that our survey may have self-selected believers in awareness activities. Still, the results show that the development of awareness programs is a growth sector. Especially worth noting in that regard is the high number of efforts that are either just getting going (18 percent) or have been running for fewer than two years (27 percent). Apparently, most of you have now moved beyond bemoaning ignorance and are now spreading enlightenment.