Security awareness

Designing the perfect security awareness newsletter

John G. Laskey
August 3, 2015 by
John G. Laskey

Even in smaller organizations, a regular security awareness newsletter can support effective, participative security. While your organization's editorial rules could be a creative break on a really great newsletter, the following tips can help you build up an effective one that will be welcomed by associates and be an asset to the organization's security.

  • Do the groundwork – strategic fit/policy/deciding on media

Strategic fit. The first point to consider when designing a new security newsletter is not its appearance or even its content, but its fit and sustainability within the overall business. The very best designed security newsletter will be rendered pointless unless it can clearly support your organization's mission and its business needs. Failing to capture this strategic high ground will open your best efforts to competition over scarce resources and to challenges about cost (remember: cost is rendered not only in material terms, but also in measurable units of people/hours. Even security articles that snap-in to a ready-to-publish template take time to produce and to edit.) Getting this strategic fit right will help you to make your newsletter reasonably bulletproof from internal challenges.

Policy. Even occasional newsletters must key in to the organization's policies on security and security awareness. These are sometimes mandatory, for example within HIPAA, FISMA, SOX, and GLBA. Since a newsletter can be the mouthpiece of legal requirements, it can also become a highly visible part of legal compliance. This can be useful to the organization when compliance officers and auditors come checking. That is also a useful point to make when considering its strategic fit (see above).

Media. Nowadays there is a very wide choice of media beyond the traditional paper-based newsletter (which in any case is likely to challenge both modern green/sustainability and financial policies). However, as with traditional paper notices, it works best if kept to one page. Wherever possible, you should run alongside company policy for publications. Where there isn't one, consider this an opportunity for bold, attention-grabbing media, perhaps keyed in to the full range of devices that are used by the organization's associates. Security might then get a helpful reputation for being leading edge in the way the organization communicates with its associates.

  • Two or three articles per newsletter, preferably not more than 150 well-crafted words each

Security is serious. But the tone of a newsletter needs to be positive and upbeat. With security, it's easy to fall into modes of language that can be challenging and off-putting. For example technical speak and a forbidding tone are on their own barriers to security: put them together and they become a thick mix of inhibitors. Imagine how you might need to tell colleagues about a security exploit that is technical in nature and has damaged your organization's assets and reputation – within 150 words. There are many very able security staff, but sometimes getting their message across can be their most challenging task. So take time to get the language in articles right. Seek to shorten complex ideas into digestible soundbites that will be easy for the greatest number of associates to absorb quickly.

Human interest. People like to read stories about other people and things that have really happened, not laboratory theories. As with any morality tale, it's important to seek out a human angle, in particular to address how security issues can affect individuals first, and ultimately the organization. There is of course a need to make sure that identities are protected in the process (unless a case is so high profile that it makes no sense to do this). So, a feature about the loss of data might storyline how the fault of an individual has led on to this serious legal issue to the organization.

  • Include pictures and simple graphics to illustrate any points being made

Pictures, particularly of people, brighten up newsletters. But many of the images you can see being used are stock photos, often of clean, reliable-looking strangers who are always smiling. This is not wrong, but remember: many other organizations use the same pictures. It can be a great advantage to include images of real security/people doing the organization's business. This can also encourage recognition, both of individuals and of processes. If you have a narrative about a security associate who might otherwise be passed by at the front door, or of a new piece of black-box security equipment that will prevent theft, these can be enhanced by well-composed pictures.

Similarly, uncomplicated, preferably color-coded diagrams using everyday presentation tools can be used to illustrate interesting points. One that received some positive reviews for an organization I worked with had categorized the nature of calls taken by the company's security helpline number. This also became useful during strategic planning for security resources.

  • Encourage general feedback/participation from senior managers

It is important to encourage communications between security managers and the organization's associates. At best, this can be used to measure the effectiveness of security issues even allowing you to make adjustments where these are merited. Newsletters should encourage discussion; always ensuring things stays inside of editorial guidelines.

Senior managers can help the process by demonstrating their own endorsement of security policies through comments and quotes, even by articles of their own. Security frameworks such as ISO 27001 require high-level participation in security management, so these sorts of contributions can even be presented as evidence when being audited for compliance and certification.

  • Add sidebars with contact points, links to discussion groups, any company messages, etc.

Be ready to use the newsletters to repeat the basic security messages, for instance the company statement of security policy might form one permanent strapline. There should be references to any security contacts for seeking advice and for reporting incidents.

  • Issue frequently, with numbered references for possible audit and compliance checks

I have seen newsletters issued at intervals of up to three months. This is too long to create a compelling narrative. Imagine how few people might watch an otherwise interesting TV series if they had to wait for that long between episodes! Nor will this help to sustain interest among associates. It is much better to publish little and often, aiming at one (page) side. This can also encourage brand recognition, a sense of continuity and a sense of commitment from the security team in getting their messages across. It should also reduce reader fatigue and create the right conditions for important messages to be absorbed.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Lastly, you will see that I make no recommendation about the design of a great newsletter. This must depend upon the resources you have available, the skillfulness of your design people and last but not least, the whims and tastes of your management. That said I believe design is best left to designers. But if you follow the above guidelines you should be able to pass them everything they need to produce a newsletter that will blow away the dusty image which that term conjures up! Check out our new enterprise security awareness platform page for a free demo and price quote!

John G. Laskey
John G. Laskey

John Laskey is a US-based security consultant who previously worked in the British government, where he was responsible for securing systems and advising senior managers about major programs. In the US, John has taught the ISO 27001 standard and is now helping develop and market new InfoSec products and services. He is a member of ISSA (New England Chapter).