Getting Permission To Use HaveIBeenPwned From Your Legal Dept
Senior management support® is something often mentioned as critical to the success of an information security awareness campaign. There are a number of reasons for this. Firstly, senior management help direct the usage of resources within the organization. Without their support, you won’t get much of a training budget, permission to take staff away from productive duties and you might even struggle to get a room booking. Secondly, managers set the tone for behavior in the organization and it’s common for staff to imitate their manager. This is often exhibited in the way they dress like their managers and also when they behave like their managers. Do your managers scoff that ‘the rules’ are for everyone else? That training is only for the IT-illiterate and don’t bother to show up? The bad news is that many of your staff will copy these behaviors.
So what is the level of senior management support for the awareness programs at your organization? How does it measure up? Take this handy quiz to find out.
What is your relationship with senior management?
- You see them for regular review sessions to track progress against behavioral KPI’s
- You bump into them once a year at company social events
- You have to stay away from them under the terms of your restraining order
How is your security awareness budget assigned?
- You have a three year fully funded year cultural change program
- It’s a fixed annual sum
- You have to wait to see if the stationary budget is overspent
When staff are a no-show at awareness sessions do you:
- Notify their manager who includes attendance as part of performance reviews
- Sneak a quick break
- Vow to get revenge by disabling their logon accounts
Do senior managers attend your awareness sessions?
- They help present them and take an active role in explaining the relevance to organizational objectives
- Sometimes they pop in for a quick look
- They might have but you’re not sure what they look like
What feedback from managers do you get from your awareness sessions?
- Managers are active in gathering feedback from their staff who attended the session
- Managers smile, nod and race off to take an important call
- You’re not sure since sessions go on so long that a manager’s never managed to complete one
What do senior managers think of your presenting style for awareness sessions?
- They were closely involved in setting the tone and content
- Some of them have seen bits of it and said it was good enough
- The only presenting of yours that they’ve seen are your desperate gifts and bribes trying to induce them to attend
What do managers say when you ask to take their staff away from productive duties for a whole afternoon of training?
- To let them know if any of their staff are a no-show
- We did this last year. What more do you want?
- I’m calling security
So how did you score? Mostly 1’s – you’ve got an amazing level of engagement. It seems that managers appreciate the value of your campaign and understand how it aligns to their business objectives. Mostly 2’s – it seems you and your managers are going through the motions. Even if behavior hasn’t changed at least the QSA has ticked their compliance box and the ISO 27001 trolls are happy. Mostly 3’s – people engagement doesn’t seem to be your strong point and you seem to have use up a lot of time and effort for very little results which suggests that your existence is pointless. Have you considered a career in Accounting?
Originally published in the December 2013 edition of the ISSA International Journal.
Related posts
