The other day I was in a meeting with one of the UK’s most powerful financial organisations. I’d been invited in to talk to the team about the latest market trends and what I was seeing. We talked about many things like ransomware, the sophistication of today’s attackers, new technology solutions, regulation (like GDPR), and the diversity and talent within our ecosystem. Then I brought up internal threats, specifically people.
I asked them if they’d humour me for a few minutes and they agreed.
“Close your eyes,” I said.
“I want you to step into another’s shoes – someone who works at your company.
Imagine what it feels like to be told that you’re a weak link.
Imagine what it feels like to have to undergo a standard security awareness training programme once a year, or more, just because of this. To know that if you fail the test you’ll have to repeat it and that you may be penalised because you’ll be endangering the organisation. Behind closed doors, some people may even be talking about you and muttering, “You can’t fix stupid.”
Chances are you’ll find this irritating, or it may even worry or upset you. Maybe these words or phrases will go through your head before or after.
A WASTE OF TIME.”
Their faces were solemn, their bodies were slumped in their seats and they all nodded their heads in agreement. I continued.
“Now let’s flip the switch.
Imagine what it feels like to be told that you’re valued.
Someone who can help an organisation protect its assets, defend against cyber attackers, act as a shield, and be effective.
Chances are you’d be feeling much more open to engage, learn more, and help.”
Once again they all nodded their heads but by now they were smiling and sitting more straight in their chairs. I continued.
“Let’s knock it up a level.
Imagine what would happen if you were given a voice, had an opportunity to feedback to the organisation – the security team – and suggest improvements.
The dialogue is now open.
There is no them and us.
You’re on the same team and part of something together.
What if you could be rewarded for your efforts too?
Chances are you’d be feeling much more empowered.
Maybe you’d even be interested in learning more about cyber security – a topic that’s pretty cool right now.”
I asked them to open their eyes. By now their faces had lit up, they were fidgeting, and desperate to talk. The room was energised. They understood what had just happened, and we reviewed the human risk element, and how security awareness training programmes are being implemented.
I explained that it’s easy to get lost in our ways, to follow the crowd, and to say or do what everyone else is saying or doing. But, if everyone is thinking alike, then is anyone really thinking.
It’s much harder to challenge the status quo, and to look for better solutions. Yet, that’s what we must continually do if we’re to perform to a higher security standard, and achieve better results. We must collaborate, and use our resources more effectively, rather than divide, build walls, and maintain silos. Communication can help us do this, as it draws on language, which is where change really begins. Add in images, visuals, and sound, and you’re on your way to creating something that’s powerful, simple, and effective.
Here’s my high-level advice.
Tip 1: Define your objective. To begin, consider your objective and what you’re trying to achieve. This sounds obvious, but you’d be surprised how many fail to do this. The reason I know is because they can’t measure and evaluate the results of their security awareness training programme afterwards. Imagine how delighted the Board would be if you could communicate this as a value.
Tip 2: Assess user group profiles. Once you’ve established your objective and how you’ll measure it, look at your user groups, and their risk profiles. Go through scenarios for each group, as not everyone has the same training needs. A questionnaire, which can gauge their level of security competence in accordance with their role often helps. Spending time training users in the same vanilla way, which is usual, not only bores them, but it’s costly too. It means that they’re not being productive elsewhere in the organisation. Tailored programmes, on the other hand, maximise engagement, and their overall understanding of the problem, which enables you to deliver and measure a much more effective security awareness training programme that produces immediate value.
Tip 3: Plan your communication. Consider your communication methods, particularly your training modules. Over the years I’ve seen high quality security awareness training videos that are extremely amusing. I’ve cringed at the scenarios, and laughed a lot. They’ve made me smile, and lifted my spirits. However, although they reached me emotionally, which is what you need to do, the end result is that they often just leave everyone feeling like this – amused. Few remember what the learning lessons were shortly after. All they remember is that they laughed, which kind of defeats the objective. So, test the modules with a select and diverse user group to get their feedback prior to purchasing.
Tip 4: Adopt an entrepreneurial mindset. This means being open-minded, rather than fixed when you’re implementing the programme. Test, tweak, and get feedback from those using it. Connect with your employees, empower them, make them feel part of something, and find champions or ambassadors who can help you evangelise. We don't know it all in security, and there’s no shame in admitting this, it’s what strong leaders do. We can always improve, and being receptive helps us avoid being blind sighted. By making your employees your strongest line of defence and telling them this, you’ll end up creating a security culture that’s onside, that innovates, adapts to evolving threats, and strengthens.
Now I want to hear from you…
- Tell me what resonated, what you’re going to do differently, and if you’ve got more advice please let me know and share it here.
To find out more…
Please watch Microsoft Office’s Modern Workplace Episode 307, Cyber Intelligence: The human element, and hear from Dr. Jessica Barker, a cyber intelligence advisor, and Phil Ferraro, the CISO for Nielsen, on the human risk element.
Jessica will share simple steps you can take today toward motivating your organization and helping to keep security threats at bay. Phil will share five common security myths you must avoid to help keep your data secure. Together, these experts will give you insights on how you can best strategise to meet your most urgent security needs as it pertains to the human element. Plus, explore features of Office 365 Advanced Threat Protection and Windows Defender Advanced Threat Protection that will help you stay a step ahead of a potential threat.
Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this Microsoft Office Modern Workplace Episode. Because your success is important to me, I only align myself with brands I believe in, and this is one of them.