Security Awareness job role chart

Last month we kicked off a blog series on the 4 W's in building an effective awareness program. We  explained that to effectively manage human risk organizations need to answer four key questions; WHY, WHO, WHAT and HOW.  Today we focus on the last  question - HOW.

Ultimately HOW is about communication.  To change behavior we  have to effectively communicate to people WHY its important to them and WHAT you want them to do.  Unfortunately,  that is something our community is not very good it.  People with highly technical backgrounds tend to not make good communicators. In fact, the security profession is often taught communication is bad - loose lips sink ships.  However, based on the 2015 Security Awareness Report  over 90% of security awareness officers have highly-technical backgrounds like IT admin, webmaster, security analysts or webmaster.  The very people in charge of communicating security are often the  ones least qualified to do it.

Fortunately, there are solutions.  The first is as geeks  we can step out of our comfort zone and develop communication skills.  One of the best places to start is the book Making It Stick, an outstanding primer on effective communications and engagement.  Numerous awareness officers swear by it.  A second option is find others who have the communication  skills your security program needs, people often in departments such as communications, human resources, marketing, public relations or even sales.  Bring one of these individuals onto your team and have them help you  craft  how  you  will communicate to your organization.

Once you have the resources/skills you need to communicate  you are ready to put together your HOW plan.  First thing to remember  is that communication is a continuous  process.  Training people once a year may work for auditors but it will not change behavior.  The more often you reinforce key points, the more likely you will change behavior.  In fact, this is why in the WHAT step we spent a great deal of effort prioritizing on a few key topics.  The fewer topics you focus on, the more you can reinforce them and more likely change key  behaviors.

Second, WHO are you communicating too? Think of security awareness as a product you are trying to sell, we need to understand our customer. Things like nationality, culture, and generation all pay a big role in how people want to learn, how you can most effectively communicate to them.  In many cases  you will have to use multiple communication methods to best reach everyone.  Also, a trend I'm seeing is organizations migrating from a push methods to a pull method of communication.  Push represents  traditional communication methods, such as  email or scheduling  a  lunch-n-learn.  The challenge is people a very busy.   The pull  method adapts to peoples' schedule, such as Computer Based Training, video blogs, podcasts, newsletters, or social media.  People can consume these materials when its convenient  for  them, making  it  more likely  you  will  engage them. HOW is where I often see most awareness programs fail.   Take the time to learn  how you can most effectively communicate to and engage your employees and you will  see  a  huge impact .  Trust me, your employees will appreciate it.

To learn more about building high-impact awareness programs, join us for the two-day course MGT433: Securing The Human.