When it comes to security awareness, a common challenge I find is organizations have focused so much on getting management support, budget and materials that when they are ready to start they have not yet thought of how to begin. One of the best places to start is building your team, a steering committee if you like. The purpose of this team is to help guide your program in the years to come. Not only can members provide input, but they can also become owners and champions for your program. Keep the team simple, you are not required to regular meetings or even be physically together, perhaps something as simple as quarterly Skype conferences. Also, keep the team small, I suggest no more then 5-7 people. Anything larger and consensus building becomes almost impossible. Some key departments I recommend are
- Audit: to ensure you meet compliance requirements, especially in tracking your program.
- Human Resources: as they often control who is trained and when. In addition they are often responsible for many of the Acceptable Use policies. Finally, if your awareness program addresses any enforcement issues, HR is often where enforcement begins.
- Legal: for obvious reasons.
- Help Desk: These folks are often forgotten but can be very helpful for your program. They have the pulse of how the organization is operating. In addition, the Help Desk may be the first place people go to with any security related issues, questions or incident reports.
- Marketing: As security professionals we know security. We have a good understanding of what the greatest risks are to our organization and how to mitigate them. Where our profession sucks at (to put it bluntly) is communicating these issues. Your awareness program can have the greatest content in the world, but if you cannot engage your employees they simply will not listen. Get marketing on your team and listen to them, this is what they do for a living.
- Training: Obviously if you have a training or communications department, be sure to coordinate with them. For organizations over 10,000 people I often find you have specific branding requirements which dictate the what and how your materials are communicated.
What departments did I leave out? If you have an awareness steering committee, any suggestions what works best?