I often use the thought model AAA = Awareness, Accountability and Ability.
There is a "lowest organizational level" where formal Accountability may be found, and that is just so far from Management where you still are allowed to use your Abilities to manage both the costs for risk and the costs for mitigation connected with the information. On and above that level, too little Risk (and Cost) Awareness hurts severely.
But to get that full engagement from all your co-workers, you need a little more. Your Co-workers will never act "correctly", from your point of view, if they are not Risk Aware and thus understand how threats use vulnerabilities to create damage. And they will not read - or understand - all your policies, rules and smart blog posts on your intranet if they lack time or interest.
So how do you create that interest? By giving, and asking for, confidence, down to the lowest levels. By communicating (give and take) on risks, threats, vulnerabilities, and mitigation, and by positive(!) and negative feedback on behavior. By Good Management, to be short. MBWA, if you wish.
Communication is both ways (up, and down) and mutual understanding smoothes the road. But to start with, and often down the road, too, it is one way information. Since "we", the senders, really want to share our knowledge with "them" and "they", the receivers, have very little time for us (being just one of a zillion eager senders with each his own professional language), "we" are accountable for the results of the communication and thus need to make our message observed and easily digested.
You cannot blame the receiver for not observing or understanding a message in a difficult language...
Inga kommentarer:
Skicka en kommentar