While we previously addressed the other two points, addressing current events is something that is optional and should involve an ongoing news story. One of the more recent stories involved Heartbleed, and how it affects individuals and organizations. Clearly the awareness message was to ensure that people change their passwords frequently. However tying a simple subject like that to news events demonstrates why awareness his tangible relevance. For example, at this link is a message that we recommended that our customers send out to their employees. While security issues becoming top news stories is not a weekly event, should there be something that has become a widely known issue, including the latest data breaches, it is great to take advantage of the timeliness.
With the three topics, as we discussed in our security awareness success article, it is important that they be addressed simultaneously in multiple communication channels. Highlighting one topic per month, as is the case with most traditional awareness programs, is ineffective for the general population, and it will be especially ineffective for executives.
Even if you do not have to gain support from C-level executives, you should still recognize that they are a distinct population with distinct awareness needs and communications requirements. However assuming you need their support, your work is just beginning. You now have to convince them that the rest of the company would benefit by receiving a similar awareness program. More important, you have to convince them to increase your resources to properly enable the program.
While executives with better behaviors are always welcome, you likely invested a good portion of your awareness budget to impact a small number of people. This investment is however well worth it, if you can get the executives to increase your budget to expand your program.
Ira Winkler, CISSP and Samantha Manke can be contacted at www.securementem.com.
Sign up for CIO Asia eNewsletters.