Awareness is not enough… just because they are aware, doesn’t mean that they actually care.
Employees can have knowledge of security issues, positive attitudes and generally good awareness of security concerns, but they also need to understand their responsibilities and roles in securing their organization so that they are proactively engaged in resisting and reporting security incidents.
Although every employee must be fully invested in doing their part, their roles may be different depending on where they sit within the organization. Employees working in IT will have different responsibilities in supporting a secure culture vs. a salesperson on the front line. Alike, a senior leader may have different responsibilities than an individual contributor.
Even though all of their vantage points may be different, their equal engagement and contribution to a more secure culture are paramount. It’s like members of a community each understanding their specific value and responsibility to the larger group.
Understanding of our roles and responsibilities is thus an important part of security culture. Moreover, an employee’s awareness of their own individual security responsibilities, and their understanding of the importance of their responsibilities for the information security of the organization, is a key component of information security culture.
In any organization, security is everyone’s responsibility.
Responsibilities can be influenced by clearly defining the roles of employees regarding security. If the members of an organization do not understand their place in the security of the organization, they are less likely to follow the necessary steps and procedures to make the organization safe.
So, what can you do now?
When explaining why certain security measures are important, be sure to communicate why they are important for them. For example, explain how the measure will affect their work, how will they benefit, and what impact it will have on them. At the end of the day, how employees perceive their role is a critical factor in sustaining or endangering the security of the organization.