Before diving into the planning process for a security awareness training project, it’s important to assign a project manager and appoint a communications champion as part of the project. Creating a project includes defining business objectives and scope (what’s included and what’s not) in a project plan document.
Ideally, the project objectives will closely mirror those described in the business case that was either verbally provided or put into an actual written document to obtain the approvals needed to ensure program success. If you haven’t completed the business case yet, then it is imperative you do this first. Ensure you have complete management buy-in before proceeding to the planning stages. To ensure you are working toward the right goals, you should start by answering the following questions:
How sensitive is the information stored, processed, and exchanged outside entities?
What regulatory constraints apply (e.g., HIPAA and SOX)?
What is the company’s security strategy?
What are the company’s security policies? How do they translate to practical, day-to-day activities?
What are the company’s critical business processes?
How does security affect employees’ day-to-day activities?
How would a major security incident affect the health of the business?
Answering these questions helps focus the training on the ISATP message. A message unique to the combination of company culture, the industry in which the company operates, the regulatory climate, and the kinds of sensitive information processed or stored. The communication of this message and the method of communicating it is the responsibility of the communication champion.
Although the project manager is responsible for coordinating project activities, it’s the communication champion who provides vision and works with management to gain and maintain support for security awareness.
Project Manager functional roles may include:
- Overall project coordination.
- Project plan development and timelines.
- Oversees the roll-out of the quiz (if applicable) and reviews results with management
- Ensures delivery of online training and reinforcement tools.
- Oversees the review and editing of any content changes and/or any customization requirements on the online training.
Communications Champion functional roles may include:
- Works with project manager and management to ensure correction messaging and vision are developed for the ISATP program.
- Ensures that different types of communication mediums are used in order to get the message out to the users.
- Develops a communications plan and executes on the plan to gain user interest and provide momentum for the ISATP program. Works with the project manager to align dates and roll-out for various aspects of the ISATP program.
- Continues to work with management to get their ongoing support and participation in the process
- Assists/develops and or facilitates in the execution of ideas on how to communicate with the users – ie., posters, games, etc.
In our experience with hundreds of clients we have found that the project manager can’t provide both the skills as a planning and communications champion successfully. The role is too large for one individual and typically the project manager does not have the time to dedicate to the important messaging and communication momentum required to get both user and management buy-in to the program.