w4

Developing A Security Communications Plan

by Geoff Keston Copyright November 2013, Faulkner Information Services. All rights reserved.

Inside this report …

A New Approach to Security Communications The Importance of Structure The Importance of Style The Communications Lifecycle Recommendations Resource File

A New Approach to Security Communications

[return to top of report]

An antiquated understanding of security communication views the practice's main question as: "what should IT announce to the rest of the company?" This perspective has given way to a multi-departmental approach that has each department sending and receiving information. In the old scenario, IT controlled information and decided whom to permit to have it. In the new scenario, each department defines what information it needs and, just as importantly, what information it needs to distribute to its constituents (e.g., customers, partners). After all, IT does not necessarily know who would be affected if a certain application is taken down for security reasons.

This new approach to security communication has become prevalent as more diverse technologies have been put to use by a wider range of departments: For instance, employees are accessing corporate networks with personally owned mobile phones and tablets as part of bring your own device programs, end users are provisioning their own services through automated programs, and social media and cloud services are being used for corporate purposes. At the same time, cyber threats have grown more diverse.

Collectively, these changes have created the need for more communication about security among a wider range of people across more channels. This increased burden is forcing enterprises to more comprehensively and carefully manage the delivery and organization of security information. Part of making this change is creating a detailed, formalized security communications plan.

The Importance of Structure

[return to top of report]

A mark of a mature security communications program is the shift away from one-time messages, such as ad hoc emails. Such messages are easily forgotten and are often hard to find after a few weeks. A good security communications plan will include sending updates and alerts as well as maintaining a repository of documentation. Creating such a repository (or a consolidated document) makes information easier to find, and it helps to link together disparate elements into a unified plan.

A comprehensive plan will do the following:

■ Identify archiving procedures

■ Establish approval processes for sending communications

■ Describe legal and regulatory requirements

■ Define key terms

■ Define severity levels and message types

■ Using the definitions of severity levels and message types, diagram who receives messages and through what means they receive them (e.g., text messages)

The plan will address the concerns of many constituents, including executives, IT staff members, and end users, as well as customers and partners. Each group has somewhat different needs, so it is helpful to structure a plan to protect sensitive information from the entire group and to make targeted information easy for its audience to find.

The Importance of Style

[return to top of report]

The challenges of planning communication flows and managing the technologies that disseminate messages across a dispersed, multi-platform environment can make enterprises lose sight of how the message is presented. But the style in which messages are delivered is crucial. "Unfortunately we the security community can be terrible communicators," says Lance Spitzner.1 "[A]s a result this is where many awareness programs quickly fall apart. If you present the content in a boring or hard to access fashion (especially for the YouTube generation) you program will be a failure. In addition, communication is exponentially more difficult for large or diverse organizations as you have to take into consideration a variety of cultural, national and linguistic differences."

To ensure that the style of security communications is effective, it can be helpful to rely on expertise from departments such as public relations or marketing, especially for messages to be sent outside the organization. Using templates and boilerplate language can further help, providing consistency and enabling the organization to deliver a message quickly, without having to repeat the time consuming process of writing, editing, and approving the text of a communication.

Tailoring messages to audiences based on their technical knowledge and other factors is also critical. "Some security awareness programs fail to adequately segment their audience and deliver appropriate messages," writes Chelsa Russell. "This is a very poor strategy that results in messages getting ignored. Users receive hundreds of messages every day from all different directions. It is critical to segment your audience and ensure that people only get the messages they need. A one-size-fits-all strategy may be easy on you, but it will not be effective."

The Communications Lifecycle

[return to top of report]

In a good, mature security environment, communication is not a one-time event that is completed when the IT department clicks "send" on a broadcast email. Instead, communication is a multi-stage, closed-loop process that starts with identifying the need to deliver a message and concludes with verifying that the message's content was well understood.

Communication is also a two-way process. Organizations need not only to send information, but also to receive feedback from users. "Listen to the stakeholders, understand their pain and problems, compile the details and verify your understanding of the problems before locking down the requirements," says project manager Wendy Woo.3 "You cannot understand the objectives and mission critical elements without connecting the dots and asking questions. You do not know if you are delivering the right solution without walking through the details and the intended outcome with the end users."

Feedback from all stakeholders is important. To encourage a dialogue, two processes are in particular useful:

■ Conduct Routine Audits – The audit process will gather information that might not otherwise come to the attention of the security planning team. During the audit, process activities will be analyzed, employees will be interviewed, and evidence such as customer messages will be inspected. All of this information will provide useful feedback.

■ Maintain a Continual Improvement Process – A formal process that lets users openly suggest changes or notify management of potential issues will help information security planners learn about problems at the operational level. This process is best managed as a closed-loop in which all suggestions are logged and evaluated and then action items are assigned to execute the recommendations that are approved. Standards such as ISO 27001 can help to structure such a process.

Recommendations

[return to top of report]

Integrate Security Communications with Other Processes

Security activities influence, and are influenced by, other corporate processes. Addressing these connected processes directly will strengthen a communications plan. In particular, the following processes relate closely to security:

■ An incident management process is the formal, often automated, handling of security issues. Some incidents are reported outages or failures, and others are alerts from a system such as a firewall. These

reports and alerts are part of incident management, but they are also forms of communication. Therefore, it is helpful to link incident management and communications policies.

■ Security concerns overlap with business continuity and disaster recovery. Many of the preventive and reactive actions of security plans are similar to those described in business continuity and disaster recovery plans.

■ Regulatory compliance is increasingly an IT function, due in part to regulations, such as HIPAA, that are heavily technology focused.

Develop Policies for Communicating with Third Parties

The need to communicate about security reaches across organizational boundaries. Organizations may tell customers about breaches of their confidential data, receive new security specifications from partners, or explain a change in their privacy policies to the media. Managing these external communications differs in many ways from handling internal communication. With third-party communications, organizations cannot dictate what processes and technologies are used. Instead, they must work with others to develop policies for communication. While some principles – like the importance of structure and style – still hold, at a tactical level, organizations would be wise to be flexible about how they share information with customers, partners, and the press.

Resource File

[return to top of report]

International Organization for Standardization (ISO): http://www.iso.org/

References

1 Spitzer, L. Security awareness – Hot to communicate. SANS: Security the Human. Jan 11. 2 Russell, C. Security awareness – Implementing an effective strategy. SANS Institute. Oct 02. 3 Woo, W. Ten communication failures that will sabotage your project. The Agilista PM. Available online from: http://www.agilistapm.com/10-comm-failures-sabotaging-projects/

About the Author

[return to top of report]

Geoff Keston is the author of more than 250 articles that help organizations find opportunities in business trends and technology. He also works directly with clients to develop communications strategies that improve processes and customer relationships. Mr. Keston has worked as a project manager for a major technology consulting and services company and is a Microsoft Certified Systems Engineer and a Certified Novell Administrator.

Site content copyright 2013, Faulkner Information Services. All rights reserved.

Return to Security Management Practices Home