Does your organization have a formal security awareness and training program? I’m constantly surprised at how often the answer is an awkward and uncomfortable “no.” Implicit in the awkwardness is the recognition that such a program is a critical piece of a strong security strategy. Without awareness and training, it’s likely that security will not be front of mind for your end users — but that doesn’t mean that organizations with formal programs are effectively engaging their employees.
“Most companies struggle to engage their users,” said Jason Hoenich, founder and chief product officer at Habitu8. “The foundational issue is that everyone’s been using the same content to train for the last 10 years. And you know what? That content sucks. When I was at Disney, I refused to use the off-the-shelf training content the vendors had at that time. I made my own, and my users loved it. That became the blueprint for Habitu8 training video series.”
For the better part of this decade, enterprise security has tried to mitigate risks from end users. Yet to this day, human error continues to facilitate many breaches. Recognizing that humans are one of the weakest links in the security chain of today’s digital enterprise, the InfoSec Institute designed a new course focused on the soft skills needed to address the human element of security and risk.
The Certified Security Awareness Practitioner (CSAP) course seemed as if it were designed with someone like me in mind — a cybersecurity enthusiast without a technical background — so I had to enroll. Now that I can officially put some capital letters after my name, I’m happy to share what I’ve learned about how to revitalize or build an effective security awareness program.
Why Security Awareness Matters
The ultimate goal of an awareness and training program is to change human behavior, which requires more than just checking a compliance box. It takes serious thought, thorough planning, clear communication and more.
For Lisa Plaggemier, chief evangelist at the InfoSec Institute and CSAP instructor, a good security awareness program has to recognize that there is a difference between training and awareness. The key distinction between the two is that awareness can provide someone with knowledge, but training is required to change their behavior. However, that’s not to say awareness isn’t important.
“People can be forced to change their behavior without having a clue as to why they need to change it,” Plaggemier said. Technology can force mandatory password resets, for example, but that doesn’t mean people aren’t going to recycle and reuse their go-to passwords. An effective security program has both awareness and training aspects.
Human Error Relates to Everyone
While end users are often blamed for unintentionally clicking on malicious links, it’s not always non-security employees who are at fault. Many organizations made headlines in January after security researchers discovered misconfigurations that left data exposed without a password. That’s human error. Then there are coding errors that create vulnerabilities in applications. That’s also human error.
At the root of all these errors is a lack of awareness about how individuals’ behaviors can create risk, which is why security awareness and training must be agile, ongoing and meaningful to each end user.
“Unfortunately, even when organizations implement a security awareness training program,” said Perry Carpenter, chief evangelist and strategy officer at KnowBe4, “they fail to do so as effectively as possible for a variety of reasons.”
The primary reason is that they fail to bridge the gap between awareness and caring.
“As an industry, we can do better; and we certainly have a lot to gain by doing so,” Carpenter said.
How to Create More Awareness That Sticks
Building a better security awareness and training program comes down to strategy. If the extent of your awareness program is an annual training and maybe an email in October for National Cyber Security Awareness Month, it might be time to poll users and gauge what they know and how they feel about security in the organization. If you are a security leader in your organization, ask yourself if you have given employees enough reasons to care.
One of the first steps in creating a better program is to define the purpose of the program. The lack of a program mission statement, according to Habitu8, makes it all the more challenging to set and achieve goals. Additionally, for a company to be stronger, safer and better equipped to respond to security issues and incidents, there also needs to be established lines of communication between and among different departments, Plaggemier noted.
The success of any program also demands that you have C-level support of projects. In response to every “uh-oh” moment, security needs to consult with leadership, who then should provide the resources needed to either accept or mitigate the risk. Without that interaction with and support from leadership, security teams are left feeling deflated.
To help connect with different employees in the organization, practitioners should leverage individuals who are a little more cognizant of good cyber hygiene. You know who they are, so recruit them from across the organization to develop a security ambassador program.
If you’re thinking about revamping an existing program or creating a new one from scratch, you’re likely looking for different ways to be edgy and engaging. Fortunately, you don’t need to reinvent the wheel; there are lots of resources available to help, regardless of how big or small your budget might be.
“I worked for a few movie studios and had the art of storytelling pounded into my head,” Hoenich said. “I’ve produced three-minute videos with a $100,000 budget for a single video, and have done the same with $5,000. It all comes down to how you tell the story and engage your audience.”
What’s Your Story, and Who’s Your Audience?
In my humble opinion, the ideal team to develop a security awareness and training program would be comprised of individuals from several departments, including security, legal, human resources, corporate communications and marketing. Yes, marketing.
Why? Because security is the product and the employees are the target audience. A good awareness campaign will attract the attention of different personas, hold their interest and leave them with a burning desire to learn more. That’s when behaviors will start to change.
Grabbing employees’ attention means understanding who they are and creating stories that matter to them, so perhaps it’s time to get reacquainted with Joseph Campbell and the hero’s journey. The stories we hold dear are those that have compelling or relatable heroes who experience some problem. As they endeavor to resolve their conflict, the story reaches that climactic moment, often just before ending with a satisfying resolution.
“You can support the story with learning, but you can’t support the learning with a story,” Hoenich said. “Humor works really well in corporate offices these days; everyone needs to laugh about something. Give them that and you’ll have their attention.”