As Ireland’s Oscar Wilde penned in “The Canterville Ghost,” “We have really everything in common with America nowadays, except, of course, language.” So say the operations managers as they attempt to communicate with their colleagues.

We often find ourselves communicating our thoughts with great precision only to discover that our audience did not understand a word. This is the conundrum many operations managers face as they try to bring the need for technological knowledge and security awareness to the executive suite.

Plain Language Is Not Enough for Operations Managers

Yes, plain speak is always appreciated. Getting to the crux of every issue succinctly is rarely the wrong move. That said, your plain speak may be gibberish or background noise if not presented in the correct manner. This is why creating an effective security awareness training program is often the Achilles’ heel of operations managers.

Far too often, security leaders create global programs that resonate with the test audience (normally staff located in proximity) but fail when broadcast to the broader audience. If the security awareness training is created locally and expected to resonate globally, then the cart has come before the horse. Those finely tuned training points will likely be falling on deaf ears.

Plan Globally, Execute Locally

The most important ingredient for multinational enterprises when rolling out security awareness solutions is the need to recognize the local nuances created by language, culture and social norms. The wise will create a framework for their security awareness program with the core message in place but defer final delivery to the local operations managers.

For example, say the enterprise wishes to reduce the number of instances of tailgating into buildings. In order to accomplish this task, messaging is created for all employees: “If you see an individual without a badge, do not allow him or her to follow you into the building. Stop the entrance, even if the individual is known to you.”

It’s pretty straightforward; if there’s no badge, then you as an individual are empowered to enforce the policy. In certain arenas where individual confrontation does not create a social faux pas, the desired action will be easy for the employee to understand and execute. But what of the locale where individual confrontation of a known or unknown individual creates a tense or mutually embarrassing situation? What then?

The global message may be understood, but local operations managers are best suited to put forward the appropriate wrapping on that global message to achieve the desired results.

Continuing with the above example, for those areas where a confrontation would be uncomfortable, the instructions to the employee might be adjusted. Employees may be told, “When you encounter an individual without proper identification, escort them to the lobby ambassador (or equivalent).” This facilitates employee success in enterprise endeavors while also protecting the security of the company.

It Is Not What or How, but Why

The latter point is the second conundrum operations managers face with great regularity: Policies, procedures, rules and directives are issued to employees. The message is received and endorsed by the C-suite and pushed out from top to bottom.

The messages, unfortunately, are steeped with the what and the how but rarely the why. Without why, adoption will be like the seed petals of the dandelion, blown into the wind with only a small chance of germinating and taking hold.

Security awareness training must align to business, and the why of policies provides the opportunity to do this. It also offers a clear and concise message from operations managers that security is a shared responsibility. It does not just fall on the shoulders of those who have the word “security” in their job title.

Align Business and Security

When security awareness training is aligned with business goals — and the processes, procedures and technology is owned by the operations managers and supported by the information security team — achieving security nirvana is possible. Then and only then will employees understand their role in keeping the company secure. Their immediate manager will be the one explaining and enforcing the security rules and why they exist.

Does your company enable the operations managers with ownership of the business processes and procedures, including the security decisions? If not, then perhaps it is time to amp up the security awareness education so these managers are sufficiently educated to take on the responsibilities. They will surely be held responsible for their business decisions, including those involving security, so it’s essential they are prepared to tackle these challenges.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…