Communication is key to the successful implementation of an information security program. Ensuring that your users understand why the information security program is doing what it is doing is paramount.

Key communication concepts include:

• Background: Communicate to your organization the reason you are conducting an initiative:
  • Clearly develop your vision and communicate that vision to the organization
  • Provide a roadmap for where you are today and where you expect your organization to move to
• Results: What do you plan to achieve because of the change?
  • How will the day-to-day life of the organizational user change?
• Plans: Clearly communicate the plan associated with your changes to your organization:
  • Instill confidence in your organization by ensuring that your project plan is well communicated
• Committee development: Establish key stakeholder groups to ensure participations:
  • Senior leadership: A steering committee comprised of senior leadership will instill confidence and help to ensure that leadership has a say in the development and implementation of the security program
  • User group: Having a user group of individuals from across the organization will serve to ensure that the usability of the information security program and its products is high
• Marketing and communications: Develop specific marketing/communication strategies targeted around the change:
  • Senior leadership: Should include:
    1. Develop materials that are easily digested and do not take longer than 30 seconds to read through
    2. Materials should not be in tech speak
    3. Materials should help senior leadership to understand that your change is aligned with and is helping to improve the organization's mission
  •  IT staff: Should be technical in detail and include:
    1. Purpose and impact of change include technical detail
    2. Technical details of change
    3. How the new change will be measured and reported to management
  • General users: Should include:
    1. Purpose and impact of changes without technical details
    2. Ongoing communications around change status
    3. Clear change date with expectations and any responsibilities the user has in the change