In our article, "The 7 Elements of a successful awareness program," we identified the first and most critical element was obtaining C-level support. Such support is critical for the success of just about any organizational effort. Their support brings organizational buy-in and authority for your efforts. You can get other departments to support your efforts. While you will still meet some resistance, it is easier to overcome or bypass. Most importantly, you get more funding to put together a respectable awareness program.
[Survey: Corporate security thwarted by dialog failure between IT dept. and management]
However, getting that support can be tricky, if not outright difficult. Until there is a major failing, executives rarely see the tangible benefit of funding an adequate program. That being said, you need to overcome this hurdle as it can really increase the effectiveness of all awareness and other security efforts.
When Samantha was tasked with creating her first awareness program, it became quickly obvious that she did not have sufficient resources to create an adequate program for her Fortune 500 company. She quickly realized that if she wanted more budget, she had to get support from the executive managers.
With that in mind, she took a gamble and focused her initial resources and created a program specifically targeting the executives. When the executives perceived that the awareness program had direct benefit to them in both their business and personal lives, the gamble paid off, and they allocated more funding for the overall awareness program.
The lessons learned from her experience can potentially recreate the increase in funding. However, what is most notable is that those methods will increase the perceived value if an awareness program for any population within an organization.
Recognize that you have distinct cultures in your organization
Most awareness programs are unfortunately designed that all people get the same training/information. Clearly, there are many unique distinct cultures inside an organization, and they all need their own awareness program. While this subject will be covered in a future article, what is important to recognize here is that the C-level executives are one of the distinct cultures that you have to target.
Executives have concerns that are unique to their job functions. They also have preferred ways of receiving information. Therefore have to consider that you cannot use the same materials that you intend to use for the general population. You need to create a unique program.
Address strategic concerns
Before you choose the topics you want your executive awareness program to address, you need to learn about the business. You need to understand the top concerns of the executives. You need to make sure that your program addresses those concerns. You should relate all materials to those concerns as much as possible.
[No money, no problem: Building a security awareness program on a shoestring budget]
As with all organizational efforts, your awareness program has to demonstrate that it returns clear business value. You have to show that your program is synergistic to all other critical organizational efforts, and supports those efforts.
Cater to executive personal interests
While it is important to address business concerns, you cannot forget that the executives are people with their own interests. They are concerned about their personal safety, as well as the safety of their home and family. You have to consider that they are older and likely wealthier than the general population. That means that they generally have newer technologies, older children, more personal computers, travel more frequently, among other stereotypical characteristics.
You need to ensure that the executives find personal value in the program that you provide them. The hope is that the executives will realize the personal value that they derive from the program, and be altruistic enough to believe that the general population can also use similar information.
Ask what they want to know
While it is great to do your own research, the most fruitful form of research is simply to ask what security concerns the executives have. In the ideal world, you will get this exposure. However depending upon the size of the organization, as well as the perceived importance of your efforts, your access might be limited. If this is the case, look to the executives' staff to try to find out what concerns they might have.
[Security training is lacking: Here are tips on how to do it better]
This actually has two distinct effects. First is that you can better tailor the programs to the specific desires of the targeted population. More important is that a few people might feel that they contributed to the creation of the program. When you either get an executive or their staff to have a sense of ownership, they are more likely to convince others to participate in the program. Sometimes, it is even more beneficial to have influential staff members rather than the executives themselves provide the input, as they have direct influence on the executives' daily schedules.
Use communication means appropriate to the executives
Even if you have the right messages, you need to make sure that you use the appropriate communications tools. The typical posters, newsletters and videos will not usually suffice. We have found in dealing with dozens of organizations that each organization has its own executive communications channels. Before beginning to create an awareness program, you need to learn which of those communications channels is the most effective for your needs.
Stick to three simple topics
Odds are pretty good that you will identify several topics that would all be valid to include in your initial awareness program. We recommend that stick to three topics of focus that are simple to address and reinforce. Three topics provide adequate breadth to give executives a feel of what an awareness program can do. They also allow you to potentially choose topics from three key areas; achieving business goals, appealing to personal interests, and addressing current events.
While we previously addressed the other two points, addressing current events is something that is optional and should involve an ongoing news story. One of the more recent stories involved Heartbleed, and how it affects individuals and organizations. Clearly the awareness message was to ensure that people change their passwords frequently. However tying a simple subject like that to news events demonstrates why awareness his tangible relevance. For example, at this link is a message that we recommended that our customers send out to their employees. While security issues becoming top news stories is not a weekly event, should there be something that has become a widely known issue, including the latest data breaches, it is great to take advantage of the timeliness.
[Slideshow: 10 tips to embed positive security behavior in employees]
With the three topics, as we discussed in our security awareness success article, it is important that they be addressed simultaneously in multiple communication channels. Highlighting one topic per month, as is the case with most traditional awareness programs, is ineffective for the general population, and it will be especially ineffective for executives.
Conclusions
Even if you do not have to gain support from C-level executives, you should still recognize that they are a distinct population with distinct awareness needs and communications requirements. However assuming you need their support, your work is just beginning. You now have to convince them that the rest of the company would benefit by receiving a similar awareness program. More important, you have to convince them to increase your resources to properly enable the program.
While executives with better behaviors are always welcome, you likely invested a good portion of your awareness budget to impact a small number of people. This investment is however well worth it, if you can get the executives to increase your budget to expand your program.
Ira Winkler, CISSP and Samantha Manke can be contacted at www.securementem.com.