Last week, we discussed three of our thought processes when thinking about creating a successful information security process. Here are four more ideas that come to mind.
The User-Centered Approach
No matter how much they identify with the “team”, people still want to know “what’s in it for them.” And people, being people, often take better to something novel if they understand the goal or underlying principle(s) at work. For many, nothing is more off-putting than the phrase “It’s technical-you wouldn’t understand.”
Here, looking at users’ needs can increase buy-in of a new security process. This is often termed the “user centered approach” in technical communication. No matter the security goal, people need to understand why new security measures are important to the organization, and that often starts at the individual level.
Look for Common Ground
Claudia Girrbach, CISSP, offers these five tips for creating a new security process:
- Focus on users’ needs
- Make the message memorable
- Recruit opinion leaders to show them
- Guide them on information security processes
- Ensure compliance
Girrbach uses confidential information as one form of common ground within an organization as a way of focusing on users’ needs. Many, if not all, employees in an organization have some access to confidential information that could be misused to the detriment of co-workers, customers, and business partners. A company’s competitors, for instance, would relish the prospect of a well-publicized security breach to shake customer confidence, while criminals would like nothing more than to gain access to employee and customer data for their own purposes.
Choose the Messengers
Rather than rely strictly on a hierarchical, bureaucratic announcement of a new system, Girrbach suggests recruiting opinion leaders to help deliver and reinforce key messages. Employing a broad range of opinion leaders as messengers can help draw attention to the importance of security goals, since these leaders tend inspire respect from colleagues in the various groups from which they are chosen.
Positive reinforcement yields better results, to say nothing of better morale, than negative reinforcement. So it’s important to be ready to recognize and show appreciation for good security behavior as it occurs.
Be Ready to Measure Success
Of course, success should be measurable, so plans should include the development of a metric to ascertain users’ acceptance of a new measure, for example, a new authentication process, by tracking how many passwords are strong.
Due diligence and due care should apply just as much to the human element as the technical. Researching the tools and processes different departments use on regular basis can help any new security process yield results that are relevant, memorable, and ultimately, successful.