• Live events help lessons sink in. Hold monthly brown-bag awareness lunches for departments or remote facilities.
• Stay in people's faces: Publish a monthly newsletter on current security threats and issues. Report security metrics, both good and bad.
• Find ways of expressing the cost-avoidance benefits of improved security. For example, put a dollar amount on fewer incidents and shorter recovery times.
• Have the CEO and other top executives attend security Q&A meetings (and have them take some questions). Make sure important security memos go out under the CEO's name.
• Have direct contact with employees. Manage by walking around!
• When new threats emerge, act quickly to inform the enterprise. Demystify but don't scare.
• Make awareness initiatives vivid so that they are felt on a personal gut level by individual employees.
• Engage in multimedia education: posters, online tutorials, live events, podcasts.
• Focus on high-value awareness initiatives: loss-prevention in retail businesses, counter-
competitive-intelligence strategies in research-rich environments, data privacy in financial institutions.
*–L.M.