Nurturing a security culture and subtly influencing positive change where necessary is a critical process for business organizations.
Security awareness is one of the best strategy towards creating and maintaining a holistic security culture within the business. The culture of the enterprise is defined by shared attitudes, values, and practices that support the mission. The primary mission of security is to protect assets, however anything and everything that the security department does should be in harmony with the overall business culture.
Some of the basic characteristics of a good security awareness programme are:
- When used as a mitigation strategy it should bring a degree of risk reduction to many different risks collectively.
- It should enable employees to understand the relationship between successful business enterprise operations and their personal security obligations under the programme.
- It should provide useful feedback mechanisms.
- It should empower employees to make them feel they belong to the security effort.
Four basic aspects to adopt in a security awareness programme
- Training
- Conduct regular security drills and exercises with staff and respective security personnel.
- Conducting security induction trainings for new hires to convey the approach that every employee is considered a member of the security team.
- Timely training staff on identified security threats in order to prepare them detect and respond towards these threats when they occur. This not only enhances their awareness in respect to those threats but it also becomes a mitigation strategy to reduce the threat impact.
- Role modelling
- Ensure the security function leads in the implementation of security programmes as well as the adaptation of high standards of integrity and good ethics while undertaking their day to day duties. By so doing they set a good example for the rest of the staff to follow.
- Ensure the business enterprise leadership influences through example setting the security programmes in place. Garnering for their support is achievable when security is viewed as a business enabler within the business.
- Engage and integrate
- Involve the business in the security risk analysis process
- Deploy transparency and not secrecy. While doing so implement the ‘need to know’ and ‘need to go’ rule in communication protocols to protect confidential information.
- Create a call center or accessible contact available 24/7 for employees to call if they have a problem related to security.
- Co- location of security management alongside other business functions, not isolated away in a separate building.
- Cross-pollinate staff because security should be seen as a function that anybody can apply to join. Similarly security should be seen as a stepping stone to other jobs in the business enterprise.
- Integrating security considerations into business and operational procedures.
- Periodically conducting perception and satisfaction surveys as feedback mechanisms.
- Empower
- Add essential services within the security function to improve the image of security in your business enterprise. For example empower front-line security officers with first responder skills for first – aid, fire – fighting, emergency rescue and evacuation. This would have an economic benefit as well as make the security team accessible to regular staff.
- Use the experience of the security team to provide advice through periodic security advisories to employees on security issues relevant to their personal lives such as domestic security, fraud and scams, travel security and much more.
- Inspire staff in the security function by recognizing their performance and awarding them for targets achieved.
- Encourage security staff to grow their expertise through development and knowledge.
Security awareness should be an ongoing process in all areas of business and integrating it into day to day business operations and activities is the best practice towards building and retaining a strong security culture within the business enterprise.