Design awareness efforts to either change someone's behavior or to reinforce beliefs. Awareness is not training: it is simply a way to focus attention on the topic at hand. As a part of the organization's compliance implementation process, awareness is the very first step that has to take place when introducing a new idea or control. Think of it this way: if no one knew you were introducing a new idea or control, how would you be able to do it? Below are the six basic steps of any compliance implementation process, and, as you can see, awareness is step 1.

Information Assurance Compliance implementation process steps

Read this if you think you can skip this because...

...we have to, so everybody will just do it

You might be saying, "I can skip this section because the CIO/CISO/CLO has mandated that we have a metrics program." Uh, no. Just because someone at the top of the organization says "go forth and do metrics" doesn't mean that everyone in your compliance team is going to jump on board and say "golly gee, let's do it!" Unless, of course, your team is comprised of Judy Garland and Mickey Rooney. For the rest of us, we have to broach the idea no matter what, and make people aware that there are metrics they will be implementing and they should have a say in which ones they are and how those metrics will be implemented.

...we have a ton of metrics projects already

Another really good reason not to skip over having a clear awareness program is the confusion between metrics and measurement and the problem that you might have overlapping programs. Many mid-range and large organizations are probably running some kind of metrics and measurement programs already. However, many of those programs might be aimed at providing data (which are measurements) instead of metrics (which are based upon analysis). More often than not, when there are multiple programs we tend to see those programs overlapping each other in their sources and their targets. As Jason Taule, one of our distinguished field editors told us,

"We're in the professional services industry developing COTS products for the commercial sector and developing custom solutions for government customers. In both cases, metrics are essential. We were collecting one set for ISO, another set for CMMI, another set for EVM, another for ITIL, and yet another for Security. You can imagine what a nightmare this was to manage, not to mention the potential duplication of effort as well as the possibility of inconsistent results (think blind men figuring out that elephant). This is why the key question approach was so critical.

As a member of the executive team, I realized that they were all different slants on the same fundamental management questions we wanted to know about -- where are we now (relative to some strategic or even tactical target)?; where do we need/want to be?; what do we have to do to get there?; how are we faring in our efforts to get there (both progress as well as efficacy)?; and, finally, is our target the same or has it shifted (and what course correction is appropriate?)?.

Based on this, we pushed back on the individual teams to stop providing data and start feeding us information (i.e., answers to the key questions). All groups now report on the same questions (of course targets are somewhat different in each area) and many now rely on a common underlying set of data collection elements and even some of the same metrics."

How you implement your metrics awareness step will be based upon your level of maturity for making people in your organization aware of new ideas. Every organization can be graded on a scale of maturity for each of the implemented process steps. The level of maturity for any awareness campaign can be measured from an initial ad hoc state (L1) through a highly mature and optimizing state (L5), as shown in the table that follows. Before the organization can even hope to be proactively communicating about a metric awareness program, it has to first recognize the need for the program.

Levels of awareness maturity

As you'll see later in this section, how you communicate is somewhat dictated by the level of maturity at which your organization is currently. The work breakdown structure for awareness is as follows:

Work Breakdown Structure for awareness