Having the proper communications expertise also plays a critical role in effective security training. "Simply checking the box that you performed security compliance training doesn't manage the security risk of the firm," he adds. "You have to align what you do and change the conversation to something that's more meaningful to people outside of the security organization."
One way that Leek addresses the problem is to be selective in security hires, augmenting his staff with professionals that have business and communications backgrounds in addition to robust technical security skills. "We have someone on the team who is in the technical weeds and another who is an MBA from George Washington University," he says. "Communications skills and trainability in this area is a key focus as part of the hiring process."
At Applied Materials, there has been more change on the security policy front in the last 12 months than there has been over the last five years due to the increasing number of external threats, which means a greater focus on communications, notes CIO Jay Kerley. "At the end of the day, protecting our information assets and crown jewels is becoming more and more important to us," Kerley says. "As policies change from human resources and legal, the question is how do you effectively communicate information and deal with the different jurisdictions with different requirements."
Lucky for him, Kerley has a dedicated IT marketing director on his staff, who works with communications colleagues across legal, human resources and corporate domains to craft campaigns that spell out the risks, raise awareness, and promote new policies. "The CSO role has been in a wave of transformation for some time and it's all about change management," Kerley says. "If you look at traditional change management methods, communications is a critical part."
To promote better security best practices, Applied Materials instituted the Confidential Information Management Campaign, a multi-faceted program that encompasses awareness, technology controls and business process change. The program is supported by Glaston Ford, director, IT marketing, along with a cross-functional team from Applied Materials' corporate communications department along with content experts across the business, legal, IT and human resources. The team employs a variety of communications tactics to get its messaging across, from executive emails and CEO town hall meetings to small group meetings and flyers and posters.
"It's become a part of my job these last three years coinciding with the high-profile nature of security breaches," Ford explains. "If a company doesn't have a communications function inside of IT, they need to enlist help from the corporate communications organization--it's that important."
With internal users the most significant security threat, a greater number of companies are deploying resources to raise awareness of security policies. Yet often those resources hail from different functional areas of the business, which can result in erratic messaging, says David Barton, CISO at Websense, a security solutions provider.
Sign up for MIS Asia eNewsletters.