This month I caught up with Bernadette Palmer, Head of Head of Communications at The Security Company (International) which is a UK based security awareness agency. Bernadette has more than 18 years experience in communications focusing on behavioural change.
How much do you think it has helped you in the security awareness field to have a background in communications?
Having communications as part of my skillset has been hugely beneficial for my security awareness work. Particularly when advising security teams about the best ways to engage employees with, what can be, rather dull content. It also helps when engaging with internal communications teams as I have experience of standing their shoes and seeing the world through their eyes. I always follow the communications ‘kiss’ ethos, ‘keep it short and simple’ which can be a challenge when it comes to demystifying security policy and making it relevant and interesting for employees.
Do you think not having a technical background is a help or a hindrance when approaching security awareness?
Having a technical background can be helpful sometimes but it’s certainly not a necessity. I think we sometimes forget that many employees are not techies so we have to be careful we don’t make assumptions about their levels of technical knowledge. Keep it simple and avoid jargon – put yourself in the shoes of the receiver and keep asking yourself the question ‘how would I know that?’
If you had unlimited budget, what would your ideal security awareness campaign look like?
Actually I don’t think a big budget is necessary, sometimes it’s the simple things that make the most impact. If I did have an unlimited budget though it would be dominated by face-to-face delivery. There’s nothing more powerful than interactive discussions, people feel involved and that their opinion matters. A blended approach is the most effective, electronic, visual and face-to face as people have different ways of taking on information – little and often.
What awareness campaign are you most proud of and why?
That’s tricky as I’ve been involved in a number of excellent campaigns over the years. The one that stands out for me is where we used a cartoon image on a poster with a count-down for the launch of the programme. People were stealing the posters off the walls and from the lifts. You can’t get better engagement than that.
Do you think more organisations should consider engaging an agency rather than trying to do it themselves? What do you think are the pro’s and con’s of engaging an agency?
I think it depends whether the company has in-house security awareness expertise. In my experience, security awareness is often bolted on to someone’s role without any recognition of the skills required to effectively deliver a programme. On the plus side, with an agency you can buy in that experience, knowledge and creativity for just as long as you need it. This means bringing in expertise without adding to your head count; a wealth of experience in delivering campaigns; they can bring creativity and excellence; they can have loads of ideas and they will work within your budget. On the down side, money, as there’s usually a very limited budget provided to deliver the programme; internal resistance to using external services and sometimes a ‘we can do this ourselves, how difficult can it be’ mentality. Security awareness requires specialist skills which I feel the industry is starting to recognize.
When engaging with clients, do you find you’re free to propose the approach or do you find clients often have pre-conceived notions that limit what you can do?
Sometimes it can be difficult to persuade a security director that actually a newsletter isn’t the right approach for engaging busy people. Or they feel that people should know the policies as this is part of their contract of employment. A discussion with internal communications teams usually reinforces our approach that a blend of communication methods is required. But most are open to our ideas and welcome a different approach after all, that’s why they bring us in. Usually it’s necessary to highlight that some work needs to be done by the security team to address how they are perceived by the organization, as well as addressing levels of security awareness. This needs to happen alongside the awareness programme and aims to move the security team from being perceived as enforcers to trusted advisors.