The Conversation

Computerworld - Having spent 23 years in the information security field, including stints as chief information security officer at Charles Schwab & Co., Bank of America Corp. and Volkswagen Credit, Ed Zeitler has learned a lot about how to convey the importance of information security to employees.

“The message has to be short and sweet and say what it has to say,” says Zeitler, who was recently named executive director of the International Information Systems Security Certification Consortium in Palm Harbor, Fla. “The less grand it is, the better received it is.”

In some of the companies where he has been CISO, Zeitler and his team have put together a “Did you know?” type of FAQ to draw employee attention to phone and PDA security. “It has to be entertaining,” he says.

Or it has to be memorable, like an advertisement that reads, “Don’t think your iPod is a threat? Guess again,” says Jon Miller, president of the Long Island chapter of the FBI’s InfraGard program.

Zeitler, Miller and other IT leaders have found that to get the security message to stick, it’s best to communicate frequently with workers but to vary the technique and type of medium used.

“One size does not fit all, because people have different ways of learning and doing things,” says Howard Schmidt, former White House cybersecurity adviser and CISO at Microsoft Corp. and eBay Inc. Schmidt has since founded R&H Security Consulting LLC in Issaquah, Wash.

Information security “is a marketing campaign,” says Mark Lobel, a partner at PricewaterhouseCoopers in New York. As such, he says, IT leaders should consider who their target audience is, which channels they should use to convey messages and the key messages they’re trying to get across.

To assist with this, each time he has stepped in as a corporate CISO, Zeitler has made it a top priority to add a communications specialist to his staff.

“I can get more security out of a company by hiring a communications specialist who’s really sharp than buying a bunch of network security equipment,” says Zeitler. That’s because communications professionals understand the audience they’re trying to reach and which marketing strategies and media will appeal most, he says.

That can be particularly useful for IT executives who might struggle with how to connect with workers who are 20 or 30 years younger than they are.

“When we think about the younger generation, they don’t trust a lot of people, but they do trust their managers,” says Susan Dorflinger, director of global employee marketing at GE Real Estate in Stamford, Conn. So in addition to posting security information on the company intranet, sending e-mail blasts and placing posters in high-traffic areas, GE Real Estate executives also encourage managers to have frequent face-to-face communication with younger employees.