Light Dark
April 12, 2016 By Christopher Burgess 3 min read
CISO
Risk Management

As Ireland’s Oscar Wilde penned in “The Canterville Ghost,” “We have really everything in common with America nowadays, except, of course, language.” So say the operations managers as they attempt to communicate with their colleagues.

We often find ourselves communicating our thoughts with great precision only to discover that our audience did not understand a word. This is the conundrum many operations managers face as they try to bring the need for technological knowledge and security awareness to the executive suite.

Plain Language Is Not Enough for Operations Managers

Yes, plain speak is always appreciated. Getting to the crux of every issue succinctly is rarely the wrong move. That said, your plain speak may be gibberish or background noise if not presented in the correct manner. This is why creating an effective security awareness training program is often the Achilles’ heel of operations managers.

Far too often, security leaders create global programs that resonate with the test audience (normally staff located in proximity) but fail when broadcast to the broader audience. If the security awareness training is created locally and expected to resonate globally, then the cart has come before the horse. Those finely tuned training points will likely be falling on deaf ears.

Plan Globally, Execute Locally

The most important ingredient for multinational enterprises when rolling out security awareness solutions is the need to recognize the local nuances created by language, culture and social norms. The wise will create a framework for their security awareness program with the core message in place but defer final delivery to the local operations managers.

For example, say the enterprise wishes to reduce the number of instances of tailgating into buildings. In order to accomplish this task, messaging is created for all employees: “If you see an individual without a badge, do not allow him or her to follow you into the building. Stop the entrance, even if the individual is known to you.”

It’s pretty straightforward; if there’s no badge, then you as an individual are empowered to enforce the policy. In certain arenas where individual confrontation does not create a social faux pas, the desired action will be easy for the employee to understand and execute. But what of the locale where individual confrontation of a known or unknown individual creates a tense or mutually embarrassing situation? What then?

The global message may be understood, but local operations managers are best suited to put forward the appropriate wrapping on that global message to achieve the desired results.

Continuing with the above example, for those areas where a confrontation would be uncomfortable, the instructions to the employee might be adjusted. Employees may be told, “When you encounter an individual without proper identification, escort them to the lobby ambassador (or equivalent).” This facilitates employee success in enterprise endeavors while also protecting the security of the company.

It Is Not What or How, but Why

The latter point is the second conundrum operations managers face with great regularity: Policies, procedures, rules and directives are issued to employees. The message is received and endorsed by the C-suite and pushed out from top to bottom.

The messages, unfortunately, are steeped with the what and the how but rarely the why. Without why, adoption will be like the seed petals of the dandelion, blown into the wind with only a small chance of germinating and taking hold.

Security awareness training must align to business, and the why of policies provides the opportunity to do this. It also offers a clear and concise message from operations managers that security is a shared responsibility. It does not just fall on the shoulders of those who have the word “security” in their job title.

Align Business and Security

When security awareness training is aligned with business goals — and the processes, procedures and technology is owned by the operations managers and supported by the information security team — achieving security nirvana is possible. Then and only then will employees understand their role in keeping the company secure. Their immediate manager will be the one explaining and enforcing the security rules and why they exist.

Does your company enable the operations managers with ownership of the business processes and procedures, including the security decisions? If not, then perhaps it is time to amp up the security awareness education so these managers are sufficiently educated to take on the responsibilities. They will surely be held responsible for their business decisions, including those involving security, so it’s essential they are prepared to tackle these challenges.

 |  | 
Christopher Burgess
CEO at Prevendra

More from CISO
December 30, 2024

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

December 13, 2024

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

December 11, 2024

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature