People’s attitudes toward security in general and your organization’s security program in particular tend to fall into one of six categories, which we’ve put on what we call our “ladder of involvement” in security.
- Ownership
- Participation
- Compliance
- Apathy
- Avoidance
- Subversion
—Carl Roper, Dr. Lynn Fischer, and Joseph A. Grau, from page 75 of their book Security Education, Awareness and Training.
Many of us think of security education as a campaign or project that involves posters, slogans, policy reminders and perhaps a live or online security training class or two. That is a very narrow view, as the authors explain:
“Security education is everything we do to enable people in our organization to carry out their roles in our security program effectively and reliably, plus everything we do to influence them to do just that.”
Enabling and Influencing
My two favorite words in that statement are “enable” and “influence“. It doesn’t make much sense to try to influence people to carry out a role if we don’t first enable them with the knowledge and means to do so. This provides a good yardstick against which to measure the current situation.
My favorite phrase in that statement is “everything we do“. Whether we intend them to or not, everything we say while on the job has the potential to influence people positively or negatively about security.
A CEO once told me that his security director was “very dedicated“. I asked him how he came to that conclusion. The security director had once remarked to him, “I just love my job” after a subordinate had reported via radio that she had just prevented a potential security incident. The CEO said, “Not only did he say that, he acted like it, too. You could see it in his face.” That was an interesting observation. I don’t know that I’d have been astute enough to make the connection between that remark and “dedication”.
The point is that as security practitioners or security stakeholders, anything and everything we say about security has the potential to influence others for good or for bad. That’s probably a much larger factor in our organizational security awareness picture than we have given it credit for.
Even our simple comments and statements are free tools that can make a difference. We just haven’t been fully aware of their potential and the opportunities to use them.
Climbing the Ladder
Here is an excellent exercise for security practitioners:
- Make a list of the categories of security stakeholders in your organization.
- For each category, identify where you want them to be on the security Ladder of Involvement.
- Make your best estimate based upon evidence and intuition, as to what percentage of stakeholders in each category are at each level.
Regardless of the scores, see how your thinking has now changed with regard to your objectives for security education and awareness.
The stakeholder group that is furthest away for your objectives for them is a suitable candidate group for your next initiative. Remember that anything you do or say–no matter how small–has value if it helps to enable or influence them to better fulfill their role.
Here is a simple exercise for security stakeholders:
- What is your security role?
- Are you fully empowered for it?
- If not, what would it take to enable you in that role?
I’m interested in hearing about the successes you have in applying the security awareness factors in this issue of The Security Minute.
Best regards,
Ray Bernard