We talk a lot about communication and how important it is, but for many it remains a big challenge.  Externally we  employ PR and marketing specialists to make sure we get the message right every time, but internally we often struggle to share the right information in the right way. Everyone has a packed email in-box with items vying for attention, while social media options continue to proliferate. How do we engage our colleagues long enough to make sure they’re aware of a key piece of information that, on the face of it, looks pretty dull?

This was the issue facing itSMF UK board member Richard Horton four years ago, when he was given the task of implementing an Information Security Management System (ISMS) at the NIHR Clinical Research Network Coordinating Centre (CRNCC). Information Security isn’t top on most people’s agenda and yet an ISMS depends on people throughout the organisation being aware of how it impacts them. Some of this was already in place, but Richard needed more,

“We had generic mandatory security training that we carried out on a regular basis,” he said, “but we were missing a level of detail that said, this is how it applies to us in our day-to-day roles.”

Richard suggested to senior manager that a regular communication was needed, highlighting the essential elements of the ISMS strategy, but they were concerned that its reach wouldn’t be wide enough. Next he got together with the organisation’s workforce learning team and concluded that a monthly blog might be the answer.

“I was quite lucky in the timing. Wannacry hit the news in the next few days and gave me an information security subject that everyone could see was relevant. Then there was Not Petya. I chose five topics, and tied them in with our organisational learning focus.”

The response was positive but success took a little while to achieve.

“A key moment came with the fourth blog. I called it ‘The Big Yawn – what we are doing to keep information security boring’ and compared our approach to security management with road signs and the MOT. People appreciated the light-hearted analogies. I had senior people with a low technology tolerance threshold telling me how much they enjoyed it and how helpful it was.”

Building on this encouraging feedback, Richard has continued to produce a monthly issue of the Inside Story blog. Characters as diverse as George III, Gloria Hunniford and Jonny Bairstow have dovetailed with more personal anecdotes from holidays and hobbies, the contents of supermarket shelves and something intriguingly called Biro Jenga.

“I try to keep it light, and also include some practical advice when we spot things that regularly catch people out. If there’s one thing I’m particularly pleased about it’s that such a broad range of colleagues, from Exec members to administrators, tell me they look forward to reading my blogs.”

Has it proved difficult to find enough content to blog each month?

“At first it seemed a bit daunting, but I quickly realised there was no shortage of subjects to address, and once I was into the routine it became a lot more straightforward. Over the months I have occasionally joined forces with co-authors who had a favourite topic to share. I’m also a keen photographer, and I add photos where I can to help with the message – including a logo I’ve developed from the Game of Risk, which I thought represented the ISMS quite effectively.”

And the positive feedback keeps on coming from colleagues who appreciate the entertaining delivery style.

“I wouldn’t say I get a large volume, but it’s a constant thread. What really encourages me is that it comes from people who have found it useful in getting their head around a complex subject. One I particularly liked on our ISO27001 certification work commented that the blogs “even made the process enjoyable along the way”. Anyone who has been through an ISO27001 audit will know it’s not exactly a bundle of laughs, so I was really pleased that people had survived the ordeal and come out smiling. The blogs are just one piece of the jigsaw, but I think they helped to  get people on-side, which has made such a difference.”


The excerpt below from one issue of Inside Story illustrates the value of a lighthearted intro to an uninviting topic…

What is a Pen Test?

■ Biros at dawn : first person to draw an X on their opponents forehead wins
■ Pen Compliance : does your biro comply with ISO12756 (yes, there is an international standard for biros)
■ Pen Jenga : who will make the pen tower collapse
■ Pen Style : who has the coolest pen
■ Pen Exam : retro exams where you have to write for 3 hours rather than do multiple choice questions

You won’t be surprised to find out that it is none of these. Pen Test is the colloquial description of a Penetration Test. Not the most imaginative description but a lot friendly than the likes of ISMS and SLSP. So what is a Penetration Test when it is at home? …


Richard Horton is IT Service Portfolio Manager at the NIHR Clinical Research Network Coordinating Centre (CRNCC). The CRN supports patients, the public and health and care organisations across England to participate in high-quality research, advancing knowledge and improving care; and the Coordinating Centre provides national leadership and coordination.


itSMF UK is the country’s leading membership association for service management professionals – with members ranging from individual service management practitioners to large multi-national organisations.

We have spent the last three decades helping ITSM professionals both to be better and to do better. As the first of an international network of itSMF chapters, we continue to enrich the working lives of our members through our conference and events, professional guidance, focused content, annual awards, competency management, leadership council, member groups, and new communities of practice.

View our membership video or visit us at www.itsmf.co.uk

Scroll to Top