Security is too important to leave solely to the IT department, say Cisco System officials.
That’s why the company hired a number of communications specialists to get out the message to its 60,000 employees to avoid risky behavior online either in the office or when using company-owned network devices. It’s a strategy Cisco advised organizations to consider in a Webinar this week.
“Security guys have got to stop talking in technology terms,” said John Stewart, the company’s chief security officer, because employees just tune them out.
Instead, security messages have to be crafted around simplicity, a few inexpensive giveaways and rewards for good behavior.
After realizing the efforts of Stewart’s team of Cisco staffers weren’t reaping the changes in behavior the company wanted, it recruited media relations specialist Mia Bradway Winter to be its senior manager of corporate security with a mandate to get people to take security more seriously.
Among other things Winter and Stewart suggest is establishing local “security champions” in branches to oversee overall messages and strategies set at corporate headquarters. However, regions also have the power to ensure messages, images and colours in printed or online materials reflect local sensibilities.
In the U.S., Cisco found, posters warning of security practices don’t work, but they are effective in Europe.
Stewart credits Winter for allowing security leaders to talk about staffers’ mistakes rather than hiding them as a way of putting a personal face on security without identifying the offender. Too many people read news reports of security breaches at other companies and think, ‘It can’t happen here,’” he said.
While Cisco’s security strategy was spread over several years, it sometimes took only a little bit of money to get employees’ attention. For example, the company found US$2,000 for laptop security screens for senior executives to “seed the audience.” Other staffers found the devices were “cool” and began buying them themselves, becoming what Stewart called a “badge of honour.” Now Cisco makes the screens mandatory on all new PCs it buys.
Sometimes rewards help – such as giving a certificate for attending a security training course, or urging staffers to nominate colleagues who show exemplary security activity, who are then publicly thanked by managers.
Ultimately, Stewart suggested, organizations want staffers to caution each other about improper behavior on the theory that you’re more likely to listen to a colleague than a manager.
Organizations aiming to set up a security strategy should get buy-in from upper management, said Winter, and appoint the right person to lead the charge. Extensive research is necessary not only to define the different audiences in each organization, but also to find the right vehicles for communicating messages.
What’s important in crafting any strategy, Stewart suggested, is simplicity: Spell out three or so rules for working online – what management forbids staffers from doing, what it really appreciates them not doing, and things it merely recommends them not doing.
“If you get security as a topic at the water cooler,” said Stewart, “that means security’s important on people’s minds.”