Cybersecurity isn’t the sexiest topic for employee communications. In fact, it’s fair to say that most employees’ eyes glaze over when they see or hear “security.” But organizations that get it right — and get employees engaged — can create the change that’s needed to protect their systems and data.
What does it take? It takes a little creativity and a lot of consistency to move the needle towards a win-win result.
Ban the buzzwords
Communicating effectively is always important, but when communicating about cybersecurity it’s especially important. Security is everyone’s responsibility and the majority of successful cyberattacks are the direct result of human-related causes.
To reach people outside the world of IT and cybersecurity who don’t understand tech jargon, it’s necessary to ban the buzzwords. Not only do tech terms have the undesirable effect of making people feel excluded, some perceive their use as trying too hard to impress, according to a poll of 1,500 workers conducted by Enreach. While every industry has its own jargon, technical terms and industry slang are likely to be misunderstood by people outside the IT/security space.
Understand the stages of competence
When people learn something that is designed to change their behavior, they go through a series of stages termed as the “stages of competence.” These stages apply whether one is learning a new language, starting a new job or identifying a suspicious link in an email.
Here’s how these stages work:
- Stage One: Unconscious incompetence — At this stage, people are simply oblivious. As applied to cybersecurity, this would be an employee who has no idea that clicking on links in suspicious emails or texts could lead to a serious security breach.
- Stage Two: Conscious incompetence — At this stage, the subject doesn’t know the material, but wants to learn. Continuing the above example, the employee recognizes the danger of a cybersecurity hack or phishing scam and wants to learn how to avoid them, but isn’t sure what steps to take.
- Stage Three: Conscious competence — Here, the individual knows what needs to be done, but it requires effort or direction. As it applies to cybersecurity, the individual knows more about suspicious links and how to identify one and may refer to a checklist to double-check or consult with someone who knows more.
- Stage Four: Unconscious competence — At this stage, the person has the skills and automatically knows what to do. It has become second nature. The employee can spot the suspicious link without referencing a checklist and knows what to do — report and delete it, whether it’s a simulation or a real suspicious email or link.
- Stage Five: Mastery — Here, the employee is an expert at the skill or task and can help others. At this stage, the individual can spot suspicious links competently and can train others to move through the stages.
It takes time, repetition and focus to ensure that employees embed the knowledge they need and move from unconscious incompetence to, at a minimum, conscious competence. This is where true behavior change occurs. This is where security culture can be created and supported.
How to get employees there
To move employees from unconscious incompetence toward mastery, it’s important to speak in a language and terms that they will understand, using approachable, descriptive and inclusive language.
When starting, assume the group knows nothing so that no one falls through the cracks of assumed knowledge. Not everyone will raise their hand and ask a question if they don't understand something. Keep in mind that disengagement occurs the moment something is not understood.
But meeting employees where they are in terms of understanding and knowledge, without judgment or condescension, can help them get to where they need to be. Once the importance of security is understood, it is likely employees will see the value in their personal role and responsibility to cybersecurity.
There are a lot of elements required to communicate when it comes to cybersecurity. Knowing how to do so effectively increases success. When communication is well done, engagement will occur. Understanding how people move from learning to behavior change will improve the security culture as people will embed the knowledge and act upon it, even when no one is watching.