Lance Spitzner social media screen shot

I was recently asked a great question by Jonathan Crowe @jonathanscrowe on Twitter. While his question appears simple, it requires a complex answer.  As such, I'm replying to Jonathan on a blog post as opposed to Twitter.

Hey Lance, do you have any tips for emailing users re: security announcements/alerts? How often is too often?

The quick answer is it depends on your organization and what you are attempting to communicate.  The challenge is this.  Communicate too little and people forget about security and as a result do not change behavior.  Communicate too much and you overwhelm people, cyber security becomes noise. In addition it is very difficult to produce quality content when you are constantly communicating.  Long story short, there is a certain balance you have to hit, and every organization is different on where that threshold is.  Now let's see if we can take this wishy-washy response and get a bit more detailed.

In general, I find you want to communicate at least once a month.  I also find email to be a poor communications channel.  People are overwhelmed with email and tend to ignore it.  I recommend other communication methods, such as a monthly newsletter, monthly phishing assessment, monthly lunch-n-learns, etc.  Every time you communicate you most likely want to use multiple methods, as different people consume information in different ways.   Over time watch how once-a-month communication works for your organization, then determine if you can increase the cadence.  A good relationship with your communications team will be key here.  To learn more about what is the right cadence and how to make your message stick, I really recommend the book "Made To Stick".

Other ideas for communication (especially for mature security awareness programs) include gamification, self-education portals or security ambassadors.  What is great about these approaches is you own the communications channels and by using non-traditional, informal methods the touch points can be more personal, engaging and more often.  To learn about these approaches and how to really take your program to the next level, consider the intense two day course MGT433 - Securing The Human.This course will walk you through how to build a mature awareness program, to include a series of hands-on labs where you build a comprehensive plan for your awareness program.