As Ireland’s Oscar Wilde penned in “The Canterville Ghost,” “We have really everything in common with America nowadays, except, of course, language.” So say the operations managers as they attempt to communicate with their colleagues.
We often find ourselves communicating our thoughts with great precision only to discover that our audience did not understand a word. This is the conundrum many operations managers face as they try to bring the need for technological knowledge and security awareness to the executive suite.
Plain Language Is Not Enough for Operations Managers
Yes, plain speak is always appreciated. Getting to the crux of every issue succinctly is rarely the wrong move. That said, your plain speak may be gibberish or background noise if not presented in the correct manner. This is why creating an effective security awareness training program is often the Achilles’ heel of operations managers.
Far too often, security leaders create global programs that resonate with the test audience (normally staff located in proximity) but fail when broadcast to the broader audience. If the security awareness training is created locally and expected to resonate globally, then the cart has come before the horse. Those finely tuned training points will likely be falling on deaf ears.
Plan Globally, Execute Locally
The most important ingredient for multinational enterprises when rolling out security awareness solutions is the need to recognize the local nuances created by language, culture and social norms. The wise will create a framework for their security awareness program with the core message in place but defer final delivery to the local operations managers.
For example, say the enterprise wishes to reduce the number of instances of tailgating into buildings. In order to accomplish this task, messaging is created for all employees: “If you see an individual without a badge, do not allow him or her to follow you into the building. Stop the entrance, even if the individual is known to you.”
It’s pretty straightforward; if there’s no badge, then you as an individual are empowered to enforce the policy. In certain arenas where individual confrontation does not create a social faux pas, the desired action will be easy for the employee to understand and execute. But what of the locale where individual confrontation of a known or unknown individual creates a tense or mutually embarrassing situation? What then?
The global message may be understood, but local operations managers are best suited to put forward the appropriate wrapping on that global message to achieve the desired results.
Continuing with the above example, for those areas where a confrontation would be uncomfortable, the instructions to the employee might be adjusted. Employees may be told, “When you encounter an individual without proper identification, escort them to the lobby ambassador (or equivalent).” This facilitates employee success in enterprise endeavors while also protecting the security of the company.
It Is Not What or How, but Why
The latter point is the second conundrum operations managers face with great regularity: Policies, procedures, rules and directives are issued to employees. The message is received and endorsed by the C-suite and pushed out from top to bottom.
The messages, unfortunately, are steeped with the what and the how but rarely the why. Without why, adoption will be like the seed petals of the dandelion, blown into the wind with only a small chance of germinating and taking hold.
Security awareness training must align to business, and the why of policies provides the opportunity to do this. It also offers a clear and concise message from operations managers that security is a shared responsibility. It does not just fall on the shoulders of those who have the word “security” in their job title.
Align Business and Security
When security awareness training is aligned with business goals — and the processes, procedures and technology is owned by the operations managers and supported by the information security team — achieving security nirvana is possible. Then and only then will employees understand their role in keeping the company secure. Their immediate manager will be the one explaining and enforcing the security rules and why they exist.
Does your company enable the operations managers with ownership of the business processes and procedures, including the security decisions? If not, then perhaps it is time to amp up the security awareness education so these managers are sufficiently educated to take on the responsibilities. They will surely be held responsible for their business decisions, including those involving security, so it’s essential they are prepared to tackle these challenges.
CEO at Prevendra
Christopher Burgess is the CEO of Prevendra, a security, privacy and intelligence company. He is also an author, speaker and advocate for effective security...