Supervisors First

An important lesson learned from dealing with an organization-wide Information Security Awareness program: train the supervisor, or more precisely: train the supervisors first !

Let’s face it: if you are not Google, Amazon or a financial player, chances are high that your senior management has a rather vague idea of information security areas and what you, the InfoSec manager, is actually doing. Nowadays every senior manager meanwhile knows that computer viruses are not a biological lifeform, but unfortunately that is where InfoSec awareness often ends. It is still not uncommon, that the InfoSec manager might be looked at as being from a different planet (not the planet of the apes but the planet of the information security managers) when in senior management meetings and presentations adressing information security strategies, roles and responsibilities.

Every InfoSec handbook will tell you in the beginning, the middle, the end and in between, how important it is to have the InfoSec program fully backed and fully supported by Senior Management. Few actually explain hot to get there though.

Not long ago we prepared and launched an organization-wide Information Security Awareness training program for an organization, fully backed by the organization’s executive top manager, who even signed an instruction that was published to all employees, making the training mandatory. After some time of tracking, supporting and maintaining the program we could see that most employees had taken the training and most of the minority who did not were supervisor and senior managers …

Lesson learned: A signature is not enough, you need the managers to really understand what InfoSec is about in order to get the real support, to get support that is actually working. And it is not only about the support you need (like the kind of support you better have in budgetary meetings) , it is also about the influence supervisors have over their reports. Supervisors are supposed to lead by example, after all.

The supervisors need to be educated first – and the mean and content need to be tailored for managers. This is imperative for the success not only for the InfoSec Awareness training but for the overall InfoSec program of the organization, and nothing less will work.

Now, how do you get the supervisors spending some of their precious time with educating themselves about Information Security ?

Well, the official support of the top manager is still a good start, that’s for sure. However, some other things need to be considerd: make their life easy and the subject “sexy”.

We will target supervisors explicitly, using a manager-tailored, interactive, multi-language, web-based training course as a start ( we are using Inspired eLearning’s course S-110 Security Awareness for Managers). The internet learning management system (iLMS) where the course is hosted allows for minimum administration efforts (providing user self service mechanism) and flexible, browser based access (it is important that managers can access the course not only from their desks but also from airport lounges, train station waiting areas, hotel rooms, etc).

I also like the fact that the course itself is not just another kind of web-formatted Powerpoint presentation but provides interactive elements as well and (very important) automatic bookmarks, which will let the manager continue the course where she/he has left it. Last but not least, it is manager compatible time-wise (30-45 minutes) and the content is, as already mentioned, manager-tailored:

Understand how to lead the security awareness charge
Understand positive strategies to motivate staff to be more security conscious
Understand security awareness roles and responsibilities
Understand employee controls
Understand how to handle security incidents
Understand the key laws related to information security