The great Ron Swanson has said some truly quotable things in his 7 year existence on Parks and Recreation. His anti-government one-liners and monotonous missives on manliness have sent fans into giggle fits. There are tumblers dedicated to this man and his mustache.
And while it’s hard to pick the funniest or the smartest or the best Ron Swanson quote, there is one that always comes to mind when we’re advising clients on their security awareness programs:
It’s a lesson that can be applied to nearly any aspect of our lives but it’s something we’re reminded of frequently enough when it comes to consulting clients that we felt it was necessary to address this topic.
A security awareness campaign is made up of a lot of moving parts, many different components that require input and participation from a lot of different people. It can be a beast, overwhelming to many and understandably so. But there are ways to cut back on the overwhelming factor and that comes down to something we see over and over again: companies trying to do ALL THE THINGS ALL AT ONCE.
Instead of starting slow, gaining momentum and building up to a totally comprehensive program, many organizations try to start with everything all at one time. This inevitably leads to crushing disappointment because unless you have a huge dedicated staff, you’re not going to have the time, manpower or mental bandwidth to handle all of the things all at once. This means instead of doing a really awesome job and rolling out an eye-catching, engaging and effective awareness program, you’re going to end up half-assing a lot of it and it’s not going to be nearly as successful as you want and you’ll be frustrated.
So take Ron Swanson’s advice.
Don’t half-ass two (or too many!) things. Whole-ass one thing at a time, and when you’ve done that well, add on the next element.
Don’t try rolling out a program that includes training modules, and videos, and posters and newsletters and interactive games and a gamified LMS all in the same month or quarter — and certainly don’t just dump all of your awareness materials on an intranet and hope people will click on them…
Pick ONE thing to start with, maybe a monthly newsletter, figure out where the content is coming from (in-house, a 3rd party vendor?), how you’re going to distribute it (email PDFs, a link on an intranet, printed out copies?), and get that going without any hitches for a couple months. Then get some posters that are tied in with the subject matters of the upcoming newsletter issues and figure out where you’ll get them printed, where they’ll get hung, how you can use them in a screensaver, and get that underway. Then roll out a couple videos and a training module or two (as long as you’ve already sorted out the LMS situation!) and plan a cool gaming and giveaway event for the end of the year. Before you know, you’ll have a totally comprehensive awareness program and will not feel overwhelmed nor will you have overwhelmed your users.
Planning and organizing and not trying to overachieve will help you whole-ass your awareness program to its full potential!
Have you learned something about #securityawareness from Pop Culture? Tweet us @SecAwareCo and share what lessons you’ve learned!
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Monthly Newsletters - January 12, 2017