Upgrade your Cyber Awareness Training with the Three C's of Security Awareness
According to the 2016 Security Awareness Report, over 80% of security awareness professionals have a background in either information security or information technology. Less than 15% have a background in soft skills such as training, marketing or communications. This technical orientation has significant implications on the impact of security awareness training programs.
A common problem we see in many awareness programs is that organizations understand WHAT behaviors they need to change but fail in HOW they attempt to change those behaviors. This is not to imply that a technical background makes a bad awareness officer - we need to understand the technology, risks and behaviors involved. However, where many of us fail is the soft skills required to change those behaviors. There are three soft skills that are critical to deliver high impact, effective security awareness training.
The Three C's of Security Awareness Training Communications
Ultimately awareness is about effective communication. Our goal is to both motivate people and enable them, as per the BJ Fogg Model. As such we have to first engage people and explain WHY they should care about cyber security. We then need to communicate to them in simple terms WHAT we need them to do and be sure people are enabled to exhibit those behaviors. In many ways this is similar to marketing - awareness is a product you are attempting to sell. The reason so many technical people struggle with this is not only do we often have little if any training in communication but we suffer from what is called the Curse of Knowledge. This states the more of an expert you are at something, the worse you are at communicating it. We perceive security as being simple while the rest of the world perceives it as scary and hard. If you want to smash through the Curse of Knowledge and improve your communication skills, start with the book Made to Stick.
Read More: See how SANS expert content helps you communicate effectively across the enterprise.
Collaboration Security awareness touches everyone in the organization, from interns and rank and file staff to senior executives around the world. To reach all these different people in different locations (and in potentially different languages) requires you to work with people throughout your organization.
What you communicate and how you communicate to the IT department in Chicago is going to be very different from what and how you communicate with the research team in Munich or the sales team in Singapore. In addition, since security awareness programs require so many different skill sets and coordination with other departments, you could be working with groups such as Audit, Help Desk, Human Resources, Communications, Legal, Training, Security, Project Management, LMS team and Branding, among others. Effective awareness programs require an ability to collaborate and work with other groups within your organization (and perhaps even outside your organization). One way to approach this is to create an Advisory Board made up of people from these various departments. Have them help you build, maintain and measure your awareness program from the beginning.
Culture Culture is going beyond just behaviors. Culture also includes the perceptions, attitudes and beliefs people have towards cyber security. Culture, and the process of incorporating emotion, can be challenging to grasp for technical people. Your existing culture plays a key role in how you communicate and collaborate in your organization.
Outgoing cultures such as those found in technology companies prefer content that is humorous which they can watch and consume on their own schedule. Conservative cultures such as in insurance, finance or government tend to prefer more subdued or professional content, materials people can read or instructor led and delivered only during office hours. Quite often organizations will have multiple cultures, especially organizations with very different generations. Ultimately, to create a secure culture you have to first understand and adapt to your existing culture. Read John Kotter's Leading Change to learn about changing culture.
Ultimately, to create a mature awareness program your organization will need to leverage both technical skills and soft, human skills. Most security awareness professionals already understand the technical issues. Many awareness programs struggle on the soft side. By addressing the 3 C's of awareness, either by developing your own skills or bringing on others who have those skills, you will go a long way to changing people’s behavior and ultimately your organization's culture.