For those of us with the grueling task of designing a holistic security awareness program, building it is only one part of the equation.
The “check the box” mentality when it comes to remaining compliant with cybersecurity standards will no longer fly. Chief information security officers (CISOs) and executive leadership teams are demanding more creativity and ingenuity of the human element in that space. This means digging deeper to find the secrets of security awareness success and how to turn those lemons into lemonade.
Tip #1: Gauge the organization’s vision
Network across the multitude of business units in the organization. Interview and survey/initiate focus groups utilizing a variety of demographics to gain a sense of how they view security, their thoughts on the policies requiring company acknowledgement, and what they deem as important.
Find out what employees and leadership think about content and communications sent out. Do they want content that includes more visuals that can aide in the technical jargon? Are there employees whose first language is not English? Do you have a generation that grew up in the digital age and would love to engage more on your social media sites? What types of engagement do they want more of or less of? If your tone at the top is aligned and flexible then you are one step closer to a unified security culture.
Using these questions can help security leaders develop a process for creating a successful security awareness program based off of organizational priorities:
- Let’s take a page out of business school and ensure your goals are specific. Will this security goal be achievable each month or quarter? Will your plan gradually modify behaviors and impact the overall culture gradually?
- What good are goals if they’re not measurable? Ensure you have the necessary metrics to back up your ongoing campaign goals and the changes you are trying to achieve. Measure all program campaigns which could range from training completions, simulated phishing metrics, engagement events, marketing promotions and newsletters.
- Translate your metrics into actionable goals. An example could be increasing event engagement by 5% per quarter or increasing the overall phish reporting rate by 2% each month by continuously branding the security message in communications using unique channels.
- This space is about reducing risk, but be willing take a risk. So, what if you’re aggressive in setting goals? Perhaps you can recruit force multipliers across the organization to help deliver long-term plans. If the security team doesn’t have internal marketing talent, think about employing someone with a marketing/sales/communications/teaching background with soft skills, patience and high emotional IQ who may not be a seasoned cyber professional, but knows a thing or two about how to influence human behavior. The security team is a tiny blip compared to the rest of the organization. Use resources and influencers wisely.
Tip #2: Weave security culture into organizational culture
This is where the tone at the top can make or break a security awareness program. It’s vital for the survival of the program to partner with leadership to determine how you can influence the organizational culture.
Be willing to create unique cyber promotions, contests and escape rooms, and garner support by teaming with HR, marketing and/or the corporate social responsibility groups. Come up with a reward or point system to reinforce security best practices, create a baseline, and see where it leads. We could all use some healthy, spirited competition these days, and leaders will never turn down a competition!
Tip #3: Redefining cyber hygiene and cyber IQ
People are busy with their day jobs while simultaneously getting hit with huge doses of messaging from across and outside of the organization. How will security stand out and drive the message home in the most succinct and meaningful way? Send bite-size content along with a link to direct them to the remainder of the communications with exciting visuals to draw people in.
Tip #4: People come in all shapes and sizes
How well do you know the people who make up your organization — the regions, divisions and demographics? How you address everyone — from Baby Boomers to Generation Z, from traditional formats to more tech savvy on social media — will make all the difference in your choice of delivery to avoid communications going awry. Research!
Tip #5: Forward thinking
Know that a successful security awareness program is never one and done. It will consistently be reformed and evolve for the better. Test your program — you may fail at times, but the failures will transform into successes and be wins before long. Be realistic about awareness campaigns and be fully committed. Consistency is key. Patience is the other key.
Lastly, never make it the sole responsibility of the engagement & awareness person to carry out the entire program on their own shoulders without management support. It is a monumental task to continuously educate, inform and modify behaviors of the entire organization. Everyone must contribute to succeed. A great quote by Henry Ford sums it up best: "If everyone is moving forward together, then success takes care of itself."