As Ireland’s Oscar Wilde penned in “The Canterville Ghost,” “We have really everything in common with America nowadays, except, of course, language.” So say the operations managers as they attempt to communicate with their colleagues.

We often find ourselves communicating our thoughts with great precision only to discover that our audience did not understand a word. This is the conundrum many operations managers face as they try to bring the need for technological knowledge and security awareness to the executive suite.

Plain Language Is Not Enough for Operations Managers

Yes, plain speak is always appreciated. Getting to the crux of every issue succinctly is rarely the wrong move. That said, your plain speak may be gibberish or background noise if not presented in the correct manner. This is why creating an effective security awareness training program is often the Achilles’ heel of operations managers.

Far too often, security leaders create global programs that resonate with the test audience (normally staff located in proximity) but fail when broadcast to the broader audience. If the security awareness training is created locally and expected to resonate globally, then the cart has come before the horse. Those finely tuned training points will likely be falling on deaf ears.

Plan Globally, Execute Locally

The most important ingredient for multinational enterprises when rolling out security awareness solutions is the need to recognize the local nuances created by language, culture and social norms. The wise will create a framework for their security awareness program with the core message in place but defer final delivery to the local operations managers.

For example, say the enterprise wishes to reduce the number of instances of tailgating into buildings. In order to accomplish this task, messaging is created for all employees: “If you see an individual without a badge, do not allow him or her to follow you into the building. Stop the entrance, even if the individual is known to you.”

It’s pretty straightforward; if there’s no badge, then you as an individual are empowered to enforce the policy. In certain arenas where individual confrontation does not create a social faux pas, the desired action will be easy for the employee to understand and execute. But what of the locale where individual confrontation of a known or unknown individual creates a tense or mutually embarrassing situation? What then?

The global message may be understood, but local operations managers are best suited to put forward the appropriate wrapping on that global message to achieve the desired results.

Continuing with the above example, for those areas where a confrontation would be uncomfortable, the instructions to the employee might be adjusted. Employees may be told, “When you encounter an individual without proper identification, escort them to the lobby ambassador (or equivalent).” This facilitates employee success in enterprise endeavors while also protecting the security of the company.

It Is Not What or How, but Why

The latter point is the second conundrum operations managers face with great regularity: Policies, procedures, rules and directives are issued to employees. The message is received and endorsed by the C-suite and pushed out from top to bottom.

The messages, unfortunately, are steeped with the what and the how but rarely the why. Without why, adoption will be like the seed petals of the dandelion, blown into the wind with only a small chance of germinating and taking hold.

Security awareness training must align to business, and the why of policies provides the opportunity to do this. It also offers a clear and concise message from operations managers that security is a shared responsibility. It does not just fall on the shoulders of those who have the word “security” in their job title.

Align Business and Security

When security awareness training is aligned with business goals — and the processes, procedures and technology is owned by the operations managers and supported by the information security team — achieving security nirvana is possible. Then and only then will employees understand their role in keeping the company secure. Their immediate manager will be the one explaining and enforcing the security rules and why they exist.

Does your company enable the operations managers with ownership of the business processes and procedures, including the security decisions? If not, then perhaps it is time to amp up the security awareness education so these managers are sufficiently educated to take on the responsibilities. They will surely be held responsible for their business decisions, including those involving security, so it’s essential they are prepared to tackle these challenges.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…