Importance of Branding Your Information Security Program

While technological solutions abound in financial institutions have installed firewalls, intrusion detection systems, robust anti-virus and anti-spyware solutions, and strengthened authentication methods, financial institutions have forgotten security awareness training. One reason? There isn’t a recognizable “brand” for the information security program at many financial institutions.

According to information security expert Rebecca Herold, branding your information security program is the first step in building the basic awareness for the increased information security issues facing your institution. “As far as internal branding, that’s something we did at Principal Financial Group,” Herold said. Her work in building the information security program at Principal Financial Group garnered outside recognition through awards, as well as the internal recognition by the financial services company’s staff.

“Our branding program worked out very well. We planned and executed a wide variety of placements for our brand,” Herold explained. Some examples she included was to create a non-human representative for your brand. “Ours was a figure with a padlock head, we named it ‘Paddy Lock,’” she recalled.

Paddy Lock had a big padlock head with a human-like body. “We branded all of our emails, newsletters, announcements and any giveaways from our information security group with Paddy’s likeness,” Herold noted. The information security group went as far as having a professional costume created for Paddy Lock, and one of the members of the group would dress and appear in costume for meetings, walk around the corporate offices, and would hand out information to employees.

Herold said that whether employees liked Paddy Lock or they thought it was too cartoonish, “the point was that people recognized it, and saw the need and importance of our message,” she said.

Herold also stressed the importance of making whatever logo or identifying likeness something your staff (and customers) can relate to, “If you can make it unique to your company, this will go a long way in helping brand your program,” she added. While some financial institutions use outside logos, like the Federal Trade Commission’s logo or other outside agency logos, Herold recommended the individual brand as being best approach.

Logos are an effective way to brand your program, but there are a few issues that need to be considered when choosing them. “Review the logos carefully once you’ve narrowed it down and are ready to make a choice. Remember to consider the cultural and ethnic and regional groups who may be represented within your institution’s workforce,” Herold said.

“This is why we went with something as a cartoon character, didn’t open the chance someone would identify a certain group and thus reduce the chance of offending someone,” she said.

Herold noted that branding is a great way to get it quickly in front of employees, and in their minds. It works especially well on a website, she recommended including the brand logo on screen savers and on your group’s intranet site.

When incorporating the brand logo into your awareness program, there are just so many different things you can do to add vibrance and color to it. “When you’re considering doing them, take a look at what your institution is, and what is the makeup of your employee base. It really depends on your organization’s level of acceptance, some are more open, some are more rigid,” she explained.

If you haven’t already done this for your information security program, the branding and use of “catch phrases” is also recommended by Herold. “It doesn’t have to be elaborate, but something that drives home the idea that information security is important to business at your institution.” Herold also noted that if your institution has a marketing or advertising department that using them as a resource is invaluable.

Finally, when branding your program, it is of utmost importance to have your institution’s senior management buy in. “This is very important, and will ultimately be the number one reason for the success of your program,” Herold noted. This person needs to be the CEO, president or other respected, visible leader in the institution. “They need to state that the information security program is important. Without this, you’ll be doing double the work, because people won’t view your program as something vital to the business of the institution, she concluded.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.