"It's an opportunity to be creative," he says. Plus, he adds, offering food always gets people's attention.

Carter advises that when writing a security policy, general titles and a common phone number/email address should be used rather than individuals' names and numbers given that IT security staff come and go.

Carter, who also implemented security awareness education programs at other organizations before coming to Harvard, says that that when a breach does occur or a malware infection takes place, the IT security department should use the event as an opportunity to stress the reality of security threats and the importance of adhering to best practices. "If management doesn't know you're facing challenges they'll wonder why they need an info security department," he says.

"Transparency is the best tool to promote information security," Carter says.