Editorial Note: This is a guest blog post from Paula Fetterman <email@example.com>. We feel she came up with an amazing idea and asked her to share it here. In Feb 2014, I had the opportunity to attend the RSA Security Conference in San Francisco. While attending an early morning session (thank goodness for caffeine), I heard Todd Fitzgerald’s presentation on “Generations Defined By Moments” and soon became very intrigued and engaged (yes...unusual for me at an early morning session). His premise was that each generation approaches security (and life) differently because of the technology that was prevalent during their formative (teenage) years and the events that occurred to shape their view of the world. Many security professionals believe that Security Awareness training is ineffective because of the attitude of employees – the employees just don’t want to listen and/or learn. Todd’s presentation made me think that it may be the Security Awareness professionals who need a little adjustment, and not the employees. Security Awareness professionals may, in fact, be alienating employees because of the technology/method used and the attitude/message conveyed in our Security Awareness program. As someone who is responsible for Security Awareness at a financial institution, this was a call to action for me. I started thinking that we need to treat our employees with the same care and consideration that we try to treat our systems:
- We don’t try and patch our systems or server farms once a year and within 1 hour. But many organizations try to change employee behavior using only an annual Security Awareness training. Lesson learned: Patching humans should be an on-going activity that occurs year round. Hopefully scheduled, but sometimes reactive to current vulnerabilities or malware (Heartbleed anyone?).
- We don’t try and update a mainframe using the same techniques as Java. But we do try to update employee behaviors (from Baby Boomer to Millennial) using the same Security message. Lesson learned: The diversity of our approach should reflect the diversity of our organization. Don't try and make them come to you.