WHAT PART DO MANAGERS PLAY IN ROLLING OUT A SECURITY AWARENESS PROGRAM?
One of the most important success factors within any security awareness program is getting management on board. Indeed, it is crucial that management and the board really take ownership of the program and especially the pursuit of information security measures, and setting the right example. Only then can you ensure better awareness and behavioral change in the field of information security.
This is going very well at our client ORTEC. Jet Woudstra, Compliance & Quality Officer, and Jordan Holewijn, Junior Quality Manager, explain how.
What exactly is it that ORTEC does?
ORTEC combines data and mathematics worldwide to create value for diverse organizations and society as a whole. Our staff does so by optimizing business processes for our customers in a unique way, making them more efficient, flexible and sustainable. ORTEC and Awareways crossed paths several times before joining forces in 2018. We are still working together, and a lot of progress has been made since.
Security and privacy
From the outset, there was a desire within ORTEC to work on awareness of security and privacy. ‘In the context of ISO 27001 certification, the need arose to devote even more attention to these subjects’, explains Jet Woudstra, Compliance & Quality Officer at ORTEC.
“The culture scan baseline measurement was a good starting point at the start of the program. This was followed by annual follow-up measurements, which clearly showed that information and privacy awareness among employees had grown.”
What’s the role of management in awareness and behavioral change?
“In collaboration with Awareways, we offer employees security awareness training and conduct phishing simulations. Monitoring the results is very important here. Managers are sometimes surprised by the results and want to act immediately. They take results into account when they meet with their team. The agreement at ORTEC is that the subject of security is included in team meetings at least once every quarter.”
“The most important result we’ve achieved by getting managers involved is that they start talking to their teams about security during meetings. No training can match the result of creating a situation in which people are actually talking to each other about the subject.”
– Jet Woudstra, Compliance & Quality Officer at ORTEC.
“Managers often don’t know how to frame security as a subject in these meetings. But in reality, it turns out that they often do have points to make. And so do the employees. Only then do conversations come up that really contribute to awareness and behavioral change in the field of information security. This is much more effective than just communicating the results via intranet, where you don’t reach everyone anyway. Within each team, security & privacy contacts have been appointed who are responsible for these topics. Colleagues from the team can go to them when they have questions about working safely with information. Usually, the focal points also provide input for the team meetings.”
What else contributes to the success of the program?
“We see a domino effect. Because employees see each other working in a secure way, they start adopting that good behavior too.” Jordan indicates that employees sometimes speak to each other about clean desk-related issues. “Considering phishing, employees talk to each other about it if they have received such emails, and especially about how to act. Thus, the social norm plays a big role. In addition, the news certainly contributes to this: when employees read about ransomware attacks, they realize that it could also happen to ORTEC, and they therefore do their best to work even more securely.”
How do you ensure participation?
“Offering and rolling out security awareness training is step one. But then you have to make sure that everyone participates in this training. Therefore, the start of a new training is first communicated to senior management. Additionally, a message is posted on the intranet.”
“Next, ORTEC’s QRC team invites all employees via email. After a first reminder, managers are informed.”
“ORTEC’s Executive Team receives an overview of the status of awareness training and follows up with senior management. Thankfully, nowadays there are almost no stragglers for whom information security is still an obstacle. At first there was still a relatively large group that considered it less important, but now almost everyone understands the importance. That’s great to see!”
Information is ‘power’. An awareness program will yield the best possible results only if there is a profound insight in the level of information awareness of your employees. The Awareways baseline measurement, our Culture scan, is a tested method to measure, analyze and intensify information awareness. The results can be translated into concrete future measures.
Would you like to know more about our approach
or the various programs and trainings we offer?
Feel free to contact us!