Tips for crafting a great workplace IT security awareness program

Topics that hit home, such as identity theft and monitoring kids' online activities, can engage employees on the topic of IT security


IT security pros share tips on implementing information security awareness programs in the workplace at SecureWorld Boston

Selling information security awareness to employees can be like "pushing the Queen Mary up Mt. Everest on the best of days," says Jay Carter, director of information security for the faculty of arts and sciences at Harvard University. But that hasn't stopped him from trying over the years, and he has success stories to share.

He did so at the SecureWorld Boston conference Wednesday, alongside co-panelist Michael Ste. Marie, information security analyst for Federal Home Loan Bank of Boston.

Carter says he has established an advisory council with faculty and staff at Harvard to ensure end users' concerns are addressed in establishing security policies. "I can't overstate the importance of establishing a two-way dialogue with your community," he says.

Also read: How to stop P2P data breaches 

Carter schedules regular meetings to update end users on security policy issues and to re-emphasize major points. He has also printed up Information Security 101 brochures featuring a custom logo featuring Harvard's emblem secured with a lock and key, which he says is part of a consistent branding effort.

Posters, customized screen savers with security messages and other communications mechanisms can also be used to spread the word. In a past job, he bought information videos and the staff printed out movie tickets and provided pizza, then popcorn, for those who attended.

"It's an opportunity to be creative," he says. Plus, he adds, offering food always gets people's attention.

Carter advises that when writing a security policy, general titles and a common phone number/email address should be used rather than individuals' names and numbers given that IT security staff come and go.

Also read Scott Bradner's regular ‘Net Insider column for more from Harvard's IT security team 

Carter, who also implemented security awareness education programs at other organizations before coming to Harvard, says that that when a breach does occur or a malware infection takes place, the IT security department should use the event as an opportunity to stress the reality of security threats and the importance of adhering to best practices. "If management doesn't know you're facing challenges they'll wonder why they need an info security department," he says.

"Transparency is the best tool to promote information security," Carter says.

FHLB's Ste. Marie says getting and keeping employees interested in information security is the big challenge since "it's not going to happen overnight – it's a cultural change."

He engaged employees by holding sessions with them about topics that might appeal to their personal lives as well, such as wireless router security, identity theft/phishing and monitoring kids online. He also passed along news articles of interest on such topics, and the result was two-way conversation.

"It worked. People are talking to me all the time," he said.

Follow Bob Brown on Twitter at

Must read: 11 hidden tips and tweaks for Windows 10
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies