Information Security in Market Research: Getting the Buy-In with 'InfoSec Moments'
In my previous blog I discussed some of the steps you can take to create a strong information security culture within your market research organisation or department. In this post I’m going to focus in on one of those steps - the concept of ‘InfoSec Moments’ – and share some practical tips both for creating them, and making them an effective part of your information security awareness strategy.
To recap, infosec moments are key information security messages presented and repeated in a short, simple, focused way; within context so that they are continually absorbed (by insight staff) and thereby support the formation of positive habits in regard to information security. Why is this important? Well, people have short memories and limited attention spans which is why often, despite best efforts, training and business initiatives can fail to take hold and effect the change they were designed for. Without follow-up the best information security training session quickly becomes a distant memory.
The purpose of infosec moments is to bring information security into the day-to-day working environment, to normalise and embed its ethos. Infosec moments are not a replacement for formal security training or corporate security policies but they are fundamental to overall cultural adoption. So, let’s take a look at making them happen.
Infosec moments can come in many formats. Remember that the format chosen should be compatible with the message you are trying to communicate and the outcome you wish to achieve. This is crucial to success. Posters, footers on internal emails and internal merchandise (pens, mugs, coasters, etc.) can be effective in reminding researchers to partake in simple security behaviours, i.e. maintaining clear desks and shredding confidential documents. However, where your message is more complex or controversial these techniques will have little impact. Employ a more proactive assertive approach here.
Begin department / company internal meetings with 3 or 5 minutes devoted to information security. This time could be used to share examples of newsworthy security breaches and their impact. Where internal meetings are regular, consider involving researchers in such ‘moment’ creation - invite a different person to share a story each week or month. Equally, you might like to focus on the positive business impact of embracing information security. Either way this approach sends a much stronger communication to those attending that the issue in question is of considerable importance and demands attention.
2. InfoSec Moments - Content
Don’t be afraid to think outside the box when it comes to crafting security moments - both in terms of the delivery and content. People have different learning styles and it’s important to accommodate this if you want your message to truly take root. A variety of (message appropriate) formats will also maintain overall engagement. Quizzes, short videos, facts, trivia and personal and third person or business stories can all be used to bring colour and humour to what, for some, is a dry topic.
3. InfoSec Moments - Length
Avoid the temptation to do too much in each infosec moment. Their value comes from their short easily digestible format that asks little of the audience in terms of a time investment. If you want to promote a particular behaviour make it crystal clear what that behaviour is simply and quickly; avoiding both jargon and un-necessary distractions. If your desired behaviour cannot be communicated concisely, acknowledge this and make the focus of your moment a quality reference for guidance in its correct performance.
4. InfoSec Moments - Schedule
Often, when we are introducing a new way of working; procedures, polices, thought processes, it can seem like there are literally hundreds of things that we want our entire market research staff compliment to know… right now! Information security is no different. It’s easy to be ambitious but resist the urge to go overboard with your infosec moment frequency. They will lose their impact. Planning is the key here.
Take a step back. Break information security (as applied to your organisation or department) down into sub topics and sub topics down into moments. Work out which moments are the most important to you right now and which can wait a while. Use this information to build an infosec moments schedule – considering the delivery mechanism, content, length, required repetition and exposure time for each. Your goal is to create a long term calendar plan of bite-sized information security communication. Doing this at the outset ensures both individual moments are delivered to maximum effect and that the full range of information security teaching is ultimately assimilated.
5. InfoSec Moments – Continuity
It can be tempting to focus on the negative when trying to create buy-in for information security initiatives, i.e. the behaviour you want people to avoid or the consequences of not adhering to a specific policy. While you can adopt this style in your infosec moments, if you rely on it solely you are at risk of building security fatigue/apathy in your research audience.
Sharing organisation or department achievements is a refreshing approach to infosec moments and one that will motivate and empower your audience. You might chose to communicate the information security risks that were proactively avoided, a behaviour change that has been effected or praise a member of staff for their actions in relation to a security threat, i.e. that the initiative is being taken seriously and performance is being recognised and rewarded.
Promoting success is particularly important when things are going well, when an information security culture has been established for some time and incidents are few and far between. Complacency can set at this point which brings renewed vulnerability. Remind your researchers of information security wins and benefits; show them that their continued vigilance is worthwhile.
Information security is of course my ‘thing’ and I believe that it is essential to the integrity of any industry entrusted with the vast amount of personal and commercial data that we in the market research industry are. But I appreciate every workplace has its own goals as well as behaviours that need promoting or stamping out. So I wanted to highlight that the ‘moment’ concept can be applied to any cultural business initiative, be it customer experience, sales, environmental - to list but a few possibilities. Just remember, keep it short, innovative and positive (as far as possible) and you will succeed… I did. Good luck.
Louisa is a self-described Info Sec Warrior, who has been key to FlexMR obtaining the ISO 27001 and Cyber Essentials Plus certifications. She is responsible for our information and data security processes, using her extensive knowledge of market research and attention to detail to ensure that we provide the highest level of security possible. You can follow Louisa on Twitter.