Tips for crafting a great workplace IT security awareness program

24.03.2010
Selling information security awareness to employees can be like "pushing the Queen Mary up Mt. Everest on the best of days," says Jay Carter, director of information for the faculty of arts and sciences at Harvard University. But that hasn't stopped him from trying over the years, and he has success stories to share.

He did so at the Wednesday, alongside co-panelist Michael Ste. Marie, information security analyst for Federal Home Loan Bank of Boston.

Carter says he has established an advisory council with faculty and staff at Harvard to ensure end users' concerns are addressed in establishing security policies. "I can't overstate the importance of establishing a two-way dialogue with your community," he says.

 

Carter schedules regular meetings to update end users on security policy issues and to re-emphasize major points. He has also printed up Information Security 101 brochures featuring a custom logo featuring Harvard's emblem secured with a lock and key, which he says is part of a consistent branding effort.

Posters, customized screen savers with security messages and other communications mechanisms can also be used to spread the word. In a past job, he bought information videos and the staff printed out movie tickets and provided pizza, then popcorn, for those who attended.

"It's an opportunity to be creative," he says. Plus, he adds, offering food always gets people's attention.

Carter advises that when writing a security policy, general titles and a common phone number/email address should be used rather than individuals' names and numbers given that IT security staff come and go.

 

Carter, who also implemented security awareness education programs at other organizations before coming to Harvard, says that that when a breach does occur or a malware infection takes place, the IT security department should use the event as an opportunity to stress the reality of security threats and the importance of adhering to best practices. "If management doesn't know you're facing challenges they'll wonder why they need an info security department," he says.

"Transparency is the best tool to promote information security," Carter says.

FHLB's Ste. Marie says getting and keeping employees interested in information security is the big challenge since "it's not going to happen overnight – it's a cultural change."

He engaged employees by holding sessions with them about topics that might appeal to their personal lives as well, such as , identity theft/phishing and monitoring kids online. He also passed along news articles of interest on such topics, and the result was two-way conversation.

"It worked. People are talking to me all the time," he said.

Follow Bob Brown on Twitter at

in Network World's Wide Area Network section.