Step Two: Sell the Policy

It's no secret that those who are well suited to create a securitypolicy are not always the most adept at getting its message across."Security professionals don't always make the best communicators,"admits Stacy Bresler, senior information security principal atPacificorp, a subsidiary of ScottishPower. When Bresler and his teamimplemented a new security awareness program for Pacificorp's users, agroup from corporate communications helped prepare the presentationmaterial that was handed out to employees during awareness trainingsessions. "Good experts have a way of understanding and spreading thatunderstanding," he says. In addition, Pacificorp's security team hiredprofessional actors to play out the message in a video. Every employeewas required to either attend a security presentation or watch thevideo.

Security, except to a select few, is about as exciting as watching thegrass grow...in the desert...during a heat wave. "I think you have tobe a certain person to care about security," says Bresler.

Independent security consultant Luce agrees: "Security is a boringtopic to most people. So you have to put stuff in to counter that andget people's attention." His suggestion: Make it fun. When he workedfor RHI, he introduced an in-house security training plan with akick-off party. On occasion, he would also run tests to see who couldcatch potential security breaches. Those who discovered them wererewarded with gift certificates for dinner or points toward a bonusvacation day.