So, thus begins my blog. Admittedly, it’s long overdue. My intention to blog has been very honourable (honestly), it’s just the ‘actually doing it’ bit which has been a little slack, to say the least.
Yesterday, I spent the day at The Security Company – a wonderful duo of converted barns in the middle of nowhere, quite literally – and my experience there is what has finally inspired me to start a blog.
I met Martin Smith, the founder and CEO of The Security Company (which offers employee security awareness and compliance solutions), some months ago. We met over lunch, and I took a lot away from that meeting. Smith is a man whose business is his passion, his beliefs pretty much set in stone, and his ambition is off the scale. Since then, I’ve realised just how well-known he is in the industry. His name raises a smile (and often eyebrows) – certainly some kind of reaction – from anyone who knows, or has come into contact with Martin.
Over lunch, Martin convinced me to visit their offices near Cambridge, so yesterday, that’s what I did. Arriving at The Security Company is like going home at the end of the day. How so? Well, the barns are homely, the kettle is always on, the employees are relaxed, friendly and tell me that they’re more like a family than colleagues, and parking is a nightmare. They told me about the early days of The Security Company where Martin’s lounge was their office and “feeding the cat was in the job description”.
Well, things have certainly moved on since then, but the company still retains its close-knit, intimate vibe. But things are changing, and Sarah Janes, the company’s brand new managing director, has big plans for the fairly small company.
“I want to grow the company bigger”, she tells me. She’s aware that as it stands, The Security Company is viewed by many as a family business, or even just as ‘Martin Smith’s company’, and she wants to move away from that.
While she understands how important it is to have a figurehead, and the value of Martin’s experience and network, it’s her ambition to “show everyone that we are in the market, in the industry, and that we are a whole team of passionate, dedicated people working to make this company successful”. Visibility, she says, is her goal. “It’s time we all get out there and put the message out. We’re doing what the market needs, we’re offering what no-one else is, and we need to show that”, she says.
While she understands how important it is to have a figurehead, and the value of Martin’s experience and network, it’s her ambition to “show everyone that we are in the market, in the industry, and that we are a whole team of passionate, dedicated people working to make this company successful”. Visibility, she says, is her goal. “It’s time we all get out there and put the message out. We’re doing what the market needs, we’re offering what no-one else is, and we need to show that”, she says.
Like the rest of The Security Company’s employees, Sarah Janes isn’t a tecchie, and doesn’t have a security background. She explains to me that she doesn’t need to be. “Our clients are security experts, they don’t need help from us in that area. What they need is for us to help them communicate with the business”. This makes perfect sense to me.
Janes, who has worked for The Security Company since its launch in 2005, is positive about the future of the company under her watchful eye. At only thirty, she is statistically a young MD, but this isn’t going to get in her way. Martin lists her “energy, enthusiasm, creativity and imagination” as qualities which will ensure her success as managing director.
I asked Sarah, and The Security Company’s marketing director, Lisa, what they consider to be poor and ineffective awareness campaigns. This is what they said:
- Sporadic and inconsistent messages
- Mouse-mat campaigns
- Messages written from the “security guy’s point of view”
- Emails with too much text and too many bullet points
- CYA (Cover your Arse) campaigns that intend to ‘tick a box
I’m sure some of the above ring a bell with you, from experiences with companies you’ve worked for. The Security Company, of course, wouldn’t touch any of these methods with a barge-pole. Instead, their awareness strategies are based on the following:
- Humour
- Story-telling. (Making sure the employee knows why).
- Real life examples: which help people to retain a message
- Making it relevant to their personal lives
- Quizzes
At the moment, they are currently working on a Jerry Springer type chat show to educate employees about information security. They have also based campaigns around helium balloons (with URLS on) and cartoons. I don’t know about you, but I’d like to see some of these put into play in my own organisation.
The consistent message that Janes and the rest of the team promote is that in order to educate and teach your employees how to be aware and act securely, you first need to make them understand why it’s important and why it’s relevant.
I’ve often written editorials about the importance of education, awareness, and ultimately people. My day at The Security Company only reinforced how utterly essential it is that organisations invest not only in technology, but in awareness and education. The message is simple: Invest in your people.
I’d love to hear from you about some of the awareness programmes that either you or your organisation have tried out. What worked? What didn’t? What would you like to see more of? All comments welcome…