A solid security policy is critical to creating a culture of security embedded into every business. I explored what makes an effective cybersecurity policy in Part 1. Here, I will look at how to make the policies work – and that means effectively communicating them across the entire organisation.

Essentially, communication techniques must fulfil two objectives. First, they must be able to apply the advice practically, which requires managers to truly understand how employees work, and ensure that security policies don’t make their jobs too difficult. Second, awareness initiatives should address employees’ attitudes and intentions, making them willing participants.

There are several critical success factors in cybersecurity awareness campaigns. These include:

  • Looking for actual changes in behaviour rather than simply checking boxes.
  • Constantly reinforcing policy information by delivering it in different formats over time.
  • Using engaging and appropriate materials.
  • Collecting metrics to assess effectiveness (examples might include ‘white hat’ phishing campaigns to see how many people open suspicious mails).
  • Using multiple training exercises to cover different threats.

Effective implementation also involves identifying the people in the organisation who should be responsible for enforcing the policy. This creates strong points of accountability within the chain of command.

These are all effective tools, but perhaps one of the most important ways to encourage a cybersecurity culture is leadership. Effective managers will lead by example, being the first to demonstrate and be accountable for the tenets of the policy.

It isn’t enough to simply acknowledge the risk and then shrink from it. Preparation is everything when managing cyber risk. Start by identifying your key assets, gain an understanding of the threats to them and the impact they would have. Design effective practices designed to protect them, and engage employees intelligently.