Create a burning platform
For most employees, information security is typically a dry and relatively uninspiring topic. That means our communications need to work hard to stand out and engage employees against the background noise of the other communications and the day-to-day activity that they are exposed to.
To address these issues requires the development of a simple and flexible creative platform – to provide the visual and intellectual glue that helps position security appropriately in employees’ minds. It will have the following attributes:
it offers an appropriate expression of the core security proposition;
it is distinctive, helping security communications to stand out;
whilst being distinctive it is also ‘on-brand’;
it is flexible enough to allow a wide range (e.g. type, tone) of messages to be delivered across the security programme to different employee audiences;
it works across various communication channels;
it has a perceived longevity i.e. it is not a platform that tires and expires, but rather it can support security communications for a period of years.
We need to ensure that every time a new message is added, employees will associate it with the wider campaign. And over time, these messages should aggregate into a steadily building and accessible body of knowledge that reinforces the essential security mindset.
ISO 27001 7.2.2: When composing and awarenesss programme, it is important not only to focus on ‘what’ and ‘how’, but also the ‘why’. It is important employees understand the aim of information security and the potential impact.