The issue of security failing to attract support from the c-suite and general acceptance from the general workforce is an issue that faces security managers internationally.
International 'Think-tank' discussions identified that communications is a common failing within the security field due to bias resulting from recruiting into security positions from Defence, Police etc. Many bring their 'Need-to-Know' bias with them that can be counterproductive to effective communication.
This principle has been misused over the years to produce silos of information, some of which restricts the work of security being promoted within an organisation, thus many within an organisation may be ignorant of the work and successes of corporate security teams. It has also resulted in policies being classified that restricts access, creating a potential legal issue.
Workplace resistance to security initiatives can also result due this lack of understanding of the role and work being carried out that would support security and safety of all managers, employees, contractors and visitors.
Organisation policies, including security policies, are critical to business operations so they should be generally available to all managers and the workforce. Where possible, corporate security policies should not be classified any higher than the lowest level of security clearance of employees within an organisation and preferably unclassified where possible, to ensure that all managers and employees have access to the information.
Policies may also be required to be used in evidence in court so must be framed in a manner that clearly states the expected standard and at a classification level that can allow it to be produced in a court of law.
Corporate security has a responsibility to ensure awareness of security policies is well understood throughout an organisation and must also understand that employees will learn through different methods and speed.
Outside of office workers such as workshops or offsite workers will require face-to-face programs whilst office/corporate employees have different considerations, taking into consideration different learning styles and culture. Some will learn through face-to-face security awareness programs that allow more questioning and after training conversations, some may require hands-on-style training or one-on-one learning, whilst others may be comfortable with short, sharp video or PowerPoint training programs, or online webinars.
A powerful tool for many corporations is the Intranet webpage, where tailored security messages can be promulgated in a manner that is easily digested by management and office-based employees at all levels of the organisation. Clear, concise messages can be promulgated with links to more details and policy documents.
Another tool is the corporate social media application. Messages should be designed to attract attention, be easily digested by the reader and provide factual information as a marketing strategy to maintain after-care in order to maintain security awareness throughout the organisation, throughout the year. Links can be provided to allow readers to explore more detail in policy documents etc.
Corporate security successes can be reviewed by specialists who are able to sanitize critical operational or legal issues to provide a good news story that can be shared amongst the organisation via internal social mefia, making the work of the security team relevant to the c-suite, managers and employees across the organisation. The aim being, to bring all members of the organisation together in support of a robust security culture.
These social media releases could be developed by the security and legal specialists and the corporate training team supported by an experienced marketing team member.
In summary, effective communication of policy is critical to ensuring everyone in an organisation understands the rules under which the organisation operates, and the standards expected to be met or exceeded through its managers and employees. Dissemination can be achieved through various mediums that best suit the organisation.
