Challenges of Implementing a Security Awareness Program

Earlier this month we discussed why a Security Awareness (SA) program should be implemented followed up by a discussion on what the goal of such a program should entail. Let's take a brief look at the opposite side of the coin today and discuss some of the challenges that are likely to be encountered when implementing your SA program.

The immediate first question in the mind of anyone who is working on a program such as this would likely be "Why would I have any challenges? Everyone should know how important security is. Don't they read the news? There are new security breaches and more compromised data every day!" That very well may be true, but they may not understand how that applies to them, why it is important to them, or why they should care. Not to mention that any SA program needs to fit well into the corporate culture and structure of the organization in which it is implemented. In other words, SA programs are definitely not a one size fits all solution.

Here are some suggestions that I believe will go a long way toward making the rollout of your SA program a success:

-- Deliver a consistent message about the importance of Information Security. If you are inconsistent, then people will be confused about what you are really trying to accomplish.

-- Convince users to develop and maintain safer computer usage habits. This includes education about what types of web sites are generally safe to visit and which are not, not to open email attachments from people they don't know, and make sure they have up to date security software on their computers (anti-virus and outbound firewalls). It's really about changing the way your users think so that they think twice about clicking that email/IM link or opening that attachment.

-- Motivate users to take a personal interest in Information Security. Make sure they understand that they are part of the process and that the success of the program really relies on them. It only takes one person not actively taking part to potentially introduce an organization wide security or information breach.

-- Give end user security awareness a higher priority within the organization. Make sure though that in doing this you aren't making it more difficult for people to do their jobs. A well drawn out SA program will actually make people more efficient. If it makes them less efficient, they will reject it.

-- Develop materials that deliver a clear message about security topics. Hang posters about security or give brown bag presentations that show stats on the success of the program. Also, be sure people understand the potential risks if those policies aren't followed. Continuous education is key!

I can't say it enough, but the success of the program ultimately depends on the willingness of the users to follow it. If the message is not clear, consistent, and efficient, it will not be adhered to and you will find your job very frustrating. The best security programs fit like a puzzle piece into the culture of an organization so that it is easy to understand and easy to follow.

Now that we have all of the administrivia out of the way, tune in next time when we will discuss how to actually go about getting started putting together your SA program.