Creating a Meaningful Security Awareness Training Program Is a 12-Month Commitment

Monday, December 11, 2017

Perry Carpenter

211571f3e14099fd9a6c172426982ca5

Let’s start by asking ourselves a question: As an industry, do we do ourselves a disservice with National Cybersecurity Awareness Month (NCAM)?  

When we have a month and event established on the premise of raising awareness, we start to see corporations, government agencies and organizations put all their efforts and resources around building a big splash that month. In doing that, they tend to downplay and deemphasize the other 11 months of the year. They unintentionally communicate that cybersecurity is not something that needs to be integrated into their day-to-day, or even week-to-week lives, but rather it’s presented as an externality. It becomes an “other,” or an “add-on,” and it’s approached in a way that isn’t tied into, or even relevant, to the rest of their lives. NCAM is an event, and events by their very definition imply that it is other or special, something out of the norm.

When you look at different disciples in life, where people, or cultures, or companies try to integrate ideas within our thinking, it is much more frequent and distributed. And while it may be less flashy, the consistency is more valuable.

A great comparison is the world of marketing. You don’t see McDonald’s having burger month once a year, instead they hit you with information, ideas and promotions as often as they can afford to. Why? They want to integrate into the everyday decision-making process, they want you to have immediate brand recognition and immediate relevance. The security industry has a lot to learn from people who know how to make ideas stick and know how to influence behavior.

So yes, in my opinion NCAM can be a disservice. But should we get rid of it? Absolutely not.  

NCAM is a good call to action, but don’t put all your eggs in that basket. When you talk about things in that context, you’re hitting people with information that may not be relevant to that day or week. For example, if you’re teaching password best practices during October, it will not sync up with when the vast majority of people in your organization need to change their passwords. By the time password change requirements occur, employees will divert to previously-learned behaviors and forget to leverage the information they were given. Instead, we need to more strategically distribute the password tools and lessons at the right time or place, so we’re hitting employees with the most relevant information when they are about to make an action. That’s where we need to be -- we need to put the trigger at the point, or as close to the point, when the action is about to happen.

When it comes to what you can or should be doing - particularly on the security awareness training front -  you need two things: 1) to have your finger on the pulse of organizational culture and 2) executive buy-in. If you get both, you can understand the company dynamic and can then set clear expectations about what your level of engagement will be and how you will effectively use people’s time and attention.

But how do you get there, and then how do you implement?

Best Practice #1: Get Executive buy-in. Speak the language of the business and tie awareness training into the way your organization views risk and opportunity. Explain that if you only raise awareness during NCAM, or if you only do new hire training, it will be ineffective and you will not be able to change behavior. Don’t allow training to become solely a legal or compliance checkmark.

Best Practice #2: Work with your internal marketing team. Not only do they know how to communicate and influence, but they understand your brand identity, the goals that you have, and the way your company talks about things, as well as an informed view of how/when other internal communications are occurring. Don’t be an outsider; instead take an internal communications approach.

Best Practice #3:Be strategic with frequency. Treat it like marketing swimlanes. Think about different channels (modes of communication and types of messages) and how you would distribute them overtime. As a result, you’re building greater awareness of your security ‘brand’ and core messages, and having the best change secure reflexes.  

A piece of this is implementing the “Five Moments of Need” model within training. If you want communicate new ideas or get people to adopt a new patterned behavior, use points in time training. At a high-level, this looks like: 1) telling people about something for the first time (new hire, or yearly training, etc.); 2) learning more - ongoing training, it’s still point-of-time and event-based; 3) “just-in time” training when employees want to apply knowledge (e.g. a password change); 4) when something goes wrong, e.g. simulated phishing or traditional blocking technologies come into play here; 5) when something changes (systems, law, regulation, etc.), people may need associated training.  

Best Practice #4: Use variety when sharing ideas and tools… Various forms of content resonate differently with different people. People are individuals and each have unique ways of absorbing communication, so it’s important to think about sharing content in a variety of ways - from newsletters to video - options are necessary to get everyone’s attention and focus.

In general, I recommend an 80/20 rule. You want to apply approximately 20 percent of your budget and efforts during NCAM while the remaining 80 percent should be dispersed over the other 11 months. That allows you to make a big splash in October but still stay relevant and top-of-mind all year long when it will matter most.

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of integrated new school security awareness training and simulated phishing platform.

Possibly Related Articles:
42067
Security Awareness Security Training Phishing
National Cybersecurity Awareness Month cybersecurity NCAM security awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.