Building a successful security awareness program Part 1

Written By Robert D. Sollars
Want to unsubscribe? Sorry to see you go, but…Send a blank e-mail with unsubscribe in the subject line to
In the not-so-distant past, it was generally accepted, that you could put a security officer on duty and that’s all you needed to do, except turn off the lights, lock the doors… and That was it. As little as 20 years ago, that’s all you needed…but no longer.
The primary purpose of a security awareness program is to change behavior, inform, and improve the culture. Secondarily, was to protect the organizations’ assets, property, & the people under the roof from harm in all its forms.
Far too Many people, especially if there is too much mistrust between people & management, interpret security as a hindrance to their efforts & workflow. It is also their perception, of security as an extension of management, which it is. Therefore, it is an adversary and not the help or protection they are supposed to be, a perception that is totally & completely false.
Building an awareness program to convince everyone involved that security can help to further their safety and security from a myriad of threats, not hinder or restrict them, is of paramount importance to the organization. But when financial resources are tight, how can you do this and not bore them to death with lectures, posters, or memos & have them retain it in the gray matter on top?
It is unfortunate, but it’s rare for an organization to actually implement a program that is intent on actively engaging the people under their roof, and protection, with the sole purpose of striving for a better security culture and the advantageous relationship between management & employees. Many people believe that the organization is responsible for their security, which of course it is, and they shouldn’t do anything but whine & complain about the policies & procedures meant to hinder their workflow and harass them.
In these two posts, I’m hoping to show you a guideline to attempt to assist you to design and implement an awareness program for the organization and its denizens. Am I positive that this will work for every organization? Nope. For some organizations, who follow through to the end tweaking it for their use, it will work. For some, either the higher-ups and front liners, or both, will not have enough buy-in for success, sabotaging it for their own purposes.
It’s not hard or complicated to either understand or implement. However, where you may find it complicated is in the actual details of several components. Everyone is different. Cookie cutters only work for Christmas cookies and the government, not for organizations who wish to make changes in the security of their people & assets.
Setting the stage:
This is possibly the most complicated and most difficult step in the entire process. But it is by far the most important…the people must trust you. Without the trust between all levels of the organization that must be engendered beforehand, you are impotent in trying to convince them to assist with their own safety & security.
It will get worse with people who may attempt to disrupt or interrupt security programs, which I have seen in my nearly 40 -year career.
This goes to the culture of the organization and what administration/management puts out. An old cliché says You get back what you put out. If you trust your people, even with teenagers, and do what you should do, then, hopefully, they will instinctively trust you.
If your employees distrust you, for any reason, then they are not likely to either listen or involve themselves in the program. Many times, the excuses that may come out of it are the same as they would be for workplace/school violence. I’m realistic about it, some of your people will never trust you for any reason. Usually, this is due to one incident when something occurred and you lied or misled them, either real or they perceived it as a lie or slight on your part.
Picking the Training Angle:
Now that you’ve learned if there are any trust issues within the company, you’re ready for the 2nd step in the process… picking the right way to present the information. If setting the stage is the most important, then this would be a very close 2nd.
The primary reason that this is so important as to rank a close 2nd is the fact that if it’s not presented correctly and in a way that actually engages your employees, then it is a waste of time & financial resources, which should be intolerable by…everyone. Your employees must be interested in learning the material and listening to what has to be taught.
Will you have your, supposedly, dull plodding security manager, or will you hire a professional training company, which can be very expensive, to present the material? Despite the expense, it is preferable to hire an outside consultant to deliver the information and provide the necessary material for the presentations.
Why? If there are underlying trust issues you didn’t uncover, then the individual in charge of your security either is not likely to be a person to be trusted within your organization despite being the most qualified. An Outside consultant is someone they don’t know but could generally, more easily trust.
Again, I’ll reiterate the point, your employees must trust you in order to buy into the idea. Your management team up to and including the C-suite, where it begins or ends because this is where usually all the distrust originates from for innumerable reasons.
Now covering the way to show and improve your employee’s awareness and hopefully get them to realize how important security really is to both them and the company. If you can successfully do that, then you’ll have extra eyes assisting your security officers in doing more than observing & reporting to management.
There will always be those within the company who will distrust any management directive as hindering and spying on them. Unfortunately, in most cases, because this mistrust runs deep, no matter what you do, there will be the agitators who will attempt to disrupt your efforts to secure them and the company. That is their perception and it will probably never change or if it does it will be a long tedious process.

It happens to Anyone…Any Time…Anywhere… For any Reason
I May Be Blind, but My Vision Is Crystal Clear
Permission to share? Of course, with full attribution.
Copyright 2021 Robert D. Sollars

Leave a Reply

Your email address will not be published. Required fields are marked *

Call Now ButtonCall Now!