Keep it simple
You’re unlikely to achieve real culture change without employees feeling that change is possible. The biggest reason for non-compliance? That employees don’t feel they can do what’s asked of them, or that requirements aren’t practical within the demands of their day to day role.
So firstly, make sure your demands are practical and achievable. Don’t demand eight digit passwords in policy, if the maximum your systems allow is six. Don’t insist employees never use public wifi if 80% of their time is spent on the road.
We’ll challenge you, and your policy, on all these points.
But where communication can really support these challenges is by making sure all instruction is as succinct as possible. Employees need to focus on what they perceive to be important – their day jobs. While we need to tell them that Information Security is their day job, we need to do so in the least burdening way possible.
We keep our messages short, sharp and memorable. Less is definitely more as they say, and while a picture can say a 1,000 words, we’re pretty confident the 1,000 words isn’t necessary in the first place.
ISO 27001 7.2.2: Security policies should be established in line with the organisation’s information security policies and relevant procedures, taking into consideration the controls that have been implemented to protect the information.