The term “company culture” is a buzzword that has been floating around for the last few years. While that brings to mind images of ping pong competition and in-office happy hours, there’s another element of company culture on the rise: security. Even companies with the best product or service can fail with a weak security culture. The best way to prevent this is by creating a strong security awareness training and education program, often called a SATE program for short. A strong SATE program is important. If you’re wondering where to start, here are the essential components of a good plan.
A Plan for the Plan
Sounds redundant, right? You can’t put together a good plan without a plan. Some companies opt for long-term plans that span a year or more, but using a shorter 90-day plan is more effective. This allows you to reinforce what you’re teaching employees, while reevaluating goals to see what is most effective every few months.
Part of putting together a strong security awareness training and education (SATE) program is being realistic. Clearly there are something things that just will not be tolerated, but banning all social media, for instance, is unrealistic. Chances are, employees will spend some time on social media, particularly if your company leverages social media marketing. Instead of hoping people will stay off, offer useful tips on how to minimize security risks while using social media.
Creativity is Key
Companies with big budgets might find putting together a plan a lot easier than smaller companies on a tight budget. For small companies, that just means using a little creativity. For example, during the next team building event, set up a booth with common security violations. Teams that can identify all of the violations the fastest win a prize, the points, etc.
Mixed Up the Materials
Being creative also means using mixed materials to drive home the main components of the program. Too many companies think just sitting employees in front of standard security modules is enough. Aside from being boring, this type of teaching often doesn’t help people retain the information. Consider using varied materials like blogs, games, and newsletters.
Creating a successful security awareness training and education (SATE) program requires working with other departments like marketing and human resources. Often, these departments have interests that crossover with your own. Instead of trying to do it alone, reach out and see how you can work together. The outside input will also help bring new and fresh ideas to the table.
Get the C-Suite Involved
Pretty much any project backed by a C-Suite will be easier to pursue—it will also be easier to get other departments involved. This can be more challenging in bigger companies, and you might have to settle for senior management. In small companies, however, you might start by creating special materials or a presentation highlighting why implementing a security awareness training and education (SATE) program is important.
Measure and Metric
You only know if your efforts are successful if you measure them. Before setting the ball in motion, you will need to get a baseline of employees’ awareness. This can even include taking the temperature of people’s attitudes toward security. It is also important to know how many security incidents have occurred prior to the program. Then, as you start to implement phases of the plan and see measurable results, you can share those with the C-Suite as justification for the program and your efforts.