April 12, 2016 By Christopher Burgess 3 min read

As Ireland’s Oscar Wilde penned in “The Canterville Ghost,” “We have really everything in common with America nowadays, except, of course, language.” So say the operations managers as they attempt to communicate with their colleagues.

We often find ourselves communicating our thoughts with great precision only to discover that our audience did not understand a word. This is the conundrum many operations managers face as they try to bring the need for technological knowledge and security awareness to the executive suite.

Plain Language Is Not Enough for Operations Managers

Yes, plain speak is always appreciated. Getting to the crux of every issue succinctly is rarely the wrong move. That said, your plain speak may be gibberish or background noise if not presented in the correct manner. This is why creating an effective security awareness training program is often the Achilles’ heel of operations managers.

Far too often, security leaders create global programs that resonate with the test audience (normally staff located in proximity) but fail when broadcast to the broader audience. If the security awareness training is created locally and expected to resonate globally, then the cart has come before the horse. Those finely tuned training points will likely be falling on deaf ears.

Plan Globally, Execute Locally

The most important ingredient for multinational enterprises when rolling out security awareness solutions is the need to recognize the local nuances created by language, culture and social norms. The wise will create a framework for their security awareness program with the core message in place but defer final delivery to the local operations managers.

For example, say the enterprise wishes to reduce the number of instances of tailgating into buildings. In order to accomplish this task, messaging is created for all employees: “If you see an individual without a badge, do not allow him or her to follow you into the building. Stop the entrance, even if the individual is known to you.”

It’s pretty straightforward; if there’s no badge, then you as an individual are empowered to enforce the policy. In certain arenas where individual confrontation does not create a social faux pas, the desired action will be easy for the employee to understand and execute. But what of the locale where individual confrontation of a known or unknown individual creates a tense or mutually embarrassing situation? What then?

The global message may be understood, but local operations managers are best suited to put forward the appropriate wrapping on that global message to achieve the desired results.

Continuing with the above example, for those areas where a confrontation would be uncomfortable, the instructions to the employee might be adjusted. Employees may be told, “When you encounter an individual without proper identification, escort them to the lobby ambassador (or equivalent).” This facilitates employee success in enterprise endeavors while also protecting the security of the company.

It Is Not What or How, but Why

The latter point is the second conundrum operations managers face with great regularity: Policies, procedures, rules and directives are issued to employees. The message is received and endorsed by the C-suite and pushed out from top to bottom.

The messages, unfortunately, are steeped with the what and the how but rarely the why. Without why, adoption will be like the seed petals of the dandelion, blown into the wind with only a small chance of germinating and taking hold.

Security awareness training must align to business, and the why of policies provides the opportunity to do this. It also offers a clear and concise message from operations managers that security is a shared responsibility. It does not just fall on the shoulders of those who have the word “security” in their job title.

Align Business and Security

When security awareness training is aligned with business goals — and the processes, procedures and technology is owned by the operations managers and supported by the information security team — achieving security nirvana is possible. Then and only then will employees understand their role in keeping the company secure. Their immediate manager will be the one explaining and enforcing the security rules and why they exist.

Does your company enable the operations managers with ownership of the business processes and procedures, including the security decisions? If not, then perhaps it is time to amp up the security awareness education so these managers are sufficiently educated to take on the responsibilities. They will surely be held responsible for their business decisions, including those involving security, so it’s essential they are prepared to tackle these challenges.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today