Security: day one or one day?

‘They’ say first impressions last…. They couldn’t be more on the money when talking about the first impressions made by an organisation. As employers, we get one shot at making a first impression on a new starter. Those first few hours and first interactions are when we impress upon staff our fundamental values…..whether they are the ones written on the wall in reception or the informal values exhibited by staff. Either way, new starters will soak it in…even subconsciously.

This week, I was reminiscing with a colleague about my first day onsite at a utility. On my arrival, not long after sitting down at my new desk, a man appeared in my doorway with a yellow hard hat under his arm. He was there to deliver my safety briefing…. advising me of my responsibility to report hazards (and even near misses) to ensure the safety of all staff from the engineering halls to the office. I would learn that the value and importance placed on safety in the organisation was to be a constant topic of conversation going forward ….but to have the expectations and procedures personally delivered to me within minutes on day one certainly set the tone for what would be expected of me every day for the next three and a half years. No matter what…safety came first.

The first day is a rare, golden opportunity to catch every new staff member at all levels of the organisation before their meeting schedule explodes and they get down to business. Could we use this precious time on those first hazy days to impress upon staff their role in securing the business? Without these expectations set early, we run the risk of having employees who are not aware about security in our organisation or who do not understand that their actions can escalate into cyber incidents. While we are getting better at having consumable security policies and campaigns for security awareness, can we afford to leave setting cyber security expectations to one day in the future?