Responsibility...just because they are aware, doesn’t mean that they actually care.

This blog was cowritten by Joanna Huisman, KnowBe4's new SVP Strategic Insights & Research and Aimee Laycock.  They say it takes a village to raise a child. It’s similar to any organization if you really think about it. A group of individuals owning their part in moving something forward, making it work. When you apply this thinking to employees practicing secure behaviors, employees need to be fully aware and committed to their role in the protection of the organization and its information in order to understand their responsibilities.

Awareness is not enough… just because they are aware, doesn’t mean that they actually care.

Employees can have knowledge of security issues, positive attitudes and generally good awareness of security concerns, but they also need to understand their responsibilities and roles in securing their organization so that they are proactively engaged in resisting and reporting security incidents.

Although every employee must be fully invested in doing their part, their roles may be different depending on where they sit within the organization. Employees working in IT will have different responsibilities in supporting a secure culture vs. a salesperson on the front line. Alike, a senior leader may have different responsibilities than an individual contributor.

Even though all of their vantage points may be different, their equal engagement and contribution to a more secure culture are paramount. It’s like members of a community each understanding their specific value and responsibility to the larger group.

Understanding of our roles and responsibilities is thus an important part of security culture. Moreover, an employee’s awareness of their own individual security responsibilities, and their understanding of the importance of their responsibilities for the information security of the organization, is a key component of information security culture.

In any organization, security is everyone’s responsibility.

Responsibilities can be influenced by clearly defining the roles of employees regarding security. If the members of an organization do not understand their place in the security of the organization, they are less likely to follow the necessary steps and procedures to make the organization safe.

So, what can you do now?

• Humanize your policies: Ensure information security policies and procedures are up-to-date, easily digestible, and understandable for everyone. Be mindful that certain policies and procedures may need adaptation for some employees, depending on their role and their responsibilities towards information security in your organization.
• Listen to your people: One way to help ensure that your message of responsibility resonates with your audience is to listen to their concerns. Whether you are addressing senior management or front-line staff, it is important that the information is provided in a way that is digestible and relevant to them. Find out what is important to them and why.
• Make security personal and relatable: Time should be taken to explain to every member of the organization how they fit into the security system of the organization, even if they are not working on sensitive material. Because, when everyone is aware of their place within the organization’s security, each person can more easily see how they can improve the security situation by their actions.

When explaining why certain security measures are important, be sure to communicate why they are important for them. For example, explain how the measure will affect their work, how will they benefit, and what impact it will have on them. At the end of the day, how employees perceive their role is a critical factor in sustaining or endangering the security of the organization.