Peer to Peer Magazine

Fall 2014: Security Is Everyone's Business

The quarterly publication of the International Legal Technology Association

Issue link:

Contents of this Issue


Page 90 of 91

PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 92 LESSONS LEARNED Security Awareness Training Is the Star of the Show About the Author Sherri Vollick serves as the IT Security Manager at Holland & Knight LLP. Her primary focus is the ongoing development of the information security program. Sherri has over 10 years of information security and risk management experience and over 20 years of broad and diverse IT experience in a top-tier, global law firm and global professional services firm. She is an active member of ILTA's LegalSEC steering committee, ISSA and ISSA's Women In Security SIG, ISACA, and ISC(2). Sherri can be reached at Rolling out a security awareness program at our firm should have taken center stage, but in spite of over two decades of experience with successful rollouts, I managed to dim the debut of OnGuard from Traveling Coaches by having it share the spotlight with a new learning management system. We believe that security doesn't "belong" to IT; it's not the sole responsibility of the security manager (if you have one); it doesn't sit squarely on the shoulders of the risk mitigation partner. Information security is everyone's concern, and security awareness training must have a starring role to get the attention it deserves. THE ROLLOUT PROCESS In preparing for our rollout, we assembled a multi-departmental team of individuals to provide input: Staff from our training group, professional development and HR were involved. Along with me in the security manager's role, our firm's general counsel and HIPAA partner participated on this advisory team. We attended a strategy planning session offered by Traveling Coaches that helped us make all the decisions around deploying a program of this magnitude to the entire firm. All helpdesk personnel, IT professionals and business managers participated in a half-day "boot camp" to underscore the key role they played in the success of the program. We decided on mandatory viewing of the introductory modules by everyone in the firm. The modules would be preceded by a very short introduction by our general counsel to underscore the seriousness with which the firm's management approached the training. We were keen on keeping our delivery short and sweet, and these components were pieced together to create a 30-minute video. When all the details around the video were settled, we focused on perfecting the announcement message to carry the necessary seriousness and the timing of that announcement. We were down to one last decision: How were we going to deliver the training? And our trouble began, as trouble often does, by trying to do two things at once. STEALING THE SPOTLIGHT We wanted to be sure that everyone in the firm watched the video, and we wanted to be able to see reports that confirmed compliance. We decided to use our new learning management system — an idea that seemed like a win-win. We would get our new learning management system out to a wider audience, and we would also introduce our new security awareness program. Two stellar performers sharing a stage; what could go wrong? THE LESSONS I left all of my experience-based knowledge behind for this rollout. I can reinforce previous lessons learned so that you don't make a similar mistake. You should never introduce a new topic and a new delivery method at the same time. Because our new learning management system had not been pushed to this level in the past, and the glitches interfered with what we'd hoped to be a flawless delivery of the security awareness training, we paid a price for our decision. In hindsight, we should have put these two offerings on separate stages, each in a starring role. Take a lesson from this seasoned director. We would get our new learning management system out to a wider audience, and we would also introduce our new security awareness program.

Articles in this issue

Links on this page

Archives of this issue

view archives of Peer to Peer Magazine - Fall 2014: Security Is Everyone's Business