Editor’s note: Louisa Thistlethwaite is quality and data security officer at marketing research firm FlexMR, U.K. This is an edited version of a post that originally appeared here under the title, “Information security in market research: getting the buy-in with ‘infosec moments.’"
In the past I’ve discussed some of the take to create a strong information security culture within your marketing research organization or department. Today I’m going to focus in on one of those steps – the concept of “infosec moments” – and share some practical tips both for creating them and making them an effective part of your information security awareness strategy.
To recap, infosec moments are key information security messages presented and repeated in a short, simple and focused way. This is done within context so that they are continually absorbed (by insight staff) and thereby support the formation of positive habits regarding information security. Why is this important? Well, people have short memories and limited attention spans which is why despite best efforts, training and business initiatives can fail to take hold and effect the change they were designed for. Without follow-up, the best information security training session quickly becomes a distant memory.
The purpose of infosec moments is to bring information security into the day-to-day working environment, to normalize and embed its ethos. Infosec moments are not a replacement for formal security training or corporate security policies but they are fundamental to overall cultural adoption. So, let’s look at how to make them happen.
Delivery
Infosec moments can come in many formats. Remember that the format should be compatible with the message you are trying to communicate and the outcome you wish to achieve. This is crucial to success. Posters, footers on internal e-mails and merchandise (pens, mugs, coasters, etc.) can be effective in reminding researchers to partake in simple security behaviors, i.e., maintaining clear desks and shredding confidential documents. However, where your message is more complex or controversial these techniques will have little impact. Employ a more proactive, assertive approach here.
Begin department/company internal meetings with three or five minutes devoted to information security. This time could be used to share examples of newsworthy security breaches and their impact. Where internal meetings are regular, consider involving researchers in the “moment” creation by inviting a different person to share a story each week or month. Equally, you might like to focus on the positive business impact of embracing information security. Either way this approach sends a much stronger communication to those attending that the issue in question is of considerable importance and demands attention.
Content
Don’t be afraid to think outside the box when it comes to crafting security moments – both in terms of the delivery and content. People have different learning styles and it’s important to accommodate this if you want your message to truly take root. A variety of (message appropriate) formats will also maintain overall engagement. Quizzes, short videos, facts and trivia, along with personal, third person or business stories can all be used to bring color and humor to what, for some, is a dry topic.
Length
Avoid the temptation to do too much in each infosec moment. The value comes from the short easily digestible format that asks little of the audience in terms of a time investment. If you want to promote a behavior make it crystal clear what that behavior is simply and quickly, avoiding both jargon and distractions. If your desired behavior cannot be communicated concisely, acknowledge this and make the focus of your moment a quality reference for guidance in its correct performance.
Schedule
Often, when we are introducing a new way of working it can seem like there are literally hundreds of things that we want our entire marketing research staff to know … right now! Information security is no different. It’s easy to be ambitious but resist the urge to go overboard with your infosec moment frequency. They will lose their impact. Planning is the key here.
Take a step back. Break information security (as applied to your organization or department) down into sub-topics and sub-topics down to moments. Work out which moments are the most important to you right now and which can wait a while. Use this information to build an infosec moments schedule – considering the delivery mechanism, content, length, required repetition and exposure time for each. Your goal is to create a long-term calendar plan of bite-sized information security communication. Doing this at the outset ensures both individual moments are delivered to maximum effect and that the full range of information security teaching is ultimately assimilated.
Continuity
It can be tempting to focus on the negative when trying to create buy-in for information security initiatives, i.e., the behavior you want people to avoid or the consequences of not adhering to a specific policy. You can adopt this style in your infosec moments, don’t rely on it as you risk building security fatigue/apathy in your research audience.
Sharing organization or department achievements is a refreshing approach to infosec moments and one that will motivate and empower your audience. You might choose to communicate the information security risks that were proactively avoided, a behavior change that has been effected or praise a member of staff for their actions in relation to a security threat, i.e., that the initiative is being taken seriously and performance is being recognized and rewarded.
Promoting success is particularly important when things are going well, when an information security culture has been established for some time and incidents are few and far between. Complacency can set at this point which brings renewed vulnerability. Remind your researchers of information security wins and benefits; show them that their continued vigilance is worthwhile.
Essential to integrity
Information security is of course my thing and I believe that it is essential to the integrity of any industry entrusted with the vast amount of personal and commercial data that we in the marketing research industry are. Every workplace has its own goals as well as behaviors that need promoting or stamping out. The moment concept can be applied to any cultural business initiative, be it customer experience, sales, environmental – to list but a few possibilities. Just remember, keep it short, innovative and positive (as far as possible) and you will succeed. I did. Good luck!