Concise or comprehensive?
Currently I am supporting some NGO’s in safeguarding a security culture in the organization. In this process I recently have had some fruitful meetings with project managers of an NGO that runs ambitious programs in challenging areas. Great and dedicated people were aiming for results and impact. One of the topics that kept coming up was the search for easy answers to difficult questions. “Can’t we just develop a generic SOP that applies globally?” “Can’t we just make a one page security plan?” Asking why they raise these kind of questions I discovered as well genuine needs as a genuine absence of the knowledge of security management. Experts in the organization dive deep into analyses and comprehensive booklets, while the average staff member doesn’t recognize the difficult analyses in day to day life and therefore thinks it is not supportive in their situation. It is read with little interest and builds resistance to the matter of security
Every time again I find outlining a security plan that is accessible for all who are to be protected by it quite an art. If we, security experts, really start producing concise, easy readable hand-on guidelines, we invite the users to actually read and apply them . Once we have caught the attention, we might improve their knowledge of security management as a side effect..
The big question is: are we willing to invest the extra time and effort it takes to develop them.