A common problem
we see in many awareness programs is that organizations understand WHAT
behaviors they need to change but fail in HOW they attempt to change those
behaviors. This is not to imply that a technical background makes a bad
awareness officer - we need to understand the technology, risks and behaviors
involved. However, where many of us fail is the soft skills required to change
those behaviors. There are three soft skills that are critical to deliver high
impact, effective security awareness training.
Communications
Ultimately
awareness is about effective communication. Our goal is to both motivate people
and enable them, as per the BJ Fogg Model. As such we have to first engage
people and explain WHY they should care about cyber security. We then need to
communicate to them in simple terms WHAT we need them to do and be sure people
are enabled to exhibit those behaviors. In many ways this is similar to
marketing - awareness is a product you are attempting to sell. The reason so
many technical people struggle with this is not only do we often have little if
any training in communication but we suffer from what is called the Curse
of Knowledge. This states the more of an expert you are at something, the worse
you are at communicating it. We perceive security as being simple while the
rest of the world perceives it as scary and hard. If you want to smash through
the Curse of Knowledge and improve your communication skills, start with the
book Made to Stick.
Collaboration
Security
awareness touches everyone in the organization, from interns and rank and file
staff to senior executives around the world. To reach all these different
people in different locations requires you to work with people throughout your
organization. What you communicate and how you communicate to the IT department
is going to be very different from what and how you communicate with the
research team or the sales team. In addition, since security awareness programs
require so many different skill sets and coordination with other departments,
you could be working with groups such as Audit, Help Desk, Human Resources,
Communications, Legal, Training, Security, Project Management, LMS team and
Branding, among others. Effective awareness programs require an ability to collaborate
and work with other groups within your organization. One way to approach this
is to create an Advisory Board made up of people from these various
departments. Have them help you build, maintain and measure your awareness
program from the beginning.
Culture
Culture is
going beyond just behaviors. Culture also includes the perceptions, attitudes
and beliefs people have towards cyber security. Culture, and the process of
incorporating emotion, can be challenging to grasp for technical people. Your
existing culture plays a key role in how you communicate and collaborate in
your organization. Outgoing cultures such as those found in technology
companies prefer content that is humorous which they can watch and consume on
their own schedule. Conservative cultures such as in insurance, finance or
government tend to prefer more subdued or professional content, materials
people can read or instructor led and delivered only during office hours. Quite
often organizations will have multiple cultures, especially organizations with
very different generations. Ultimately, to create a secure culture you have to
first understand and adapt to your existing culture.
Ultimately, to
create a mature awareness program your organization will need to leverage both
technical skills and soft, human skills. Most security awareness professionals
already understand the technical issues. Many awareness programs struggle on
the soft side. By addressing the 3 C's of awareness, either by developing your
own skills or bringing on others who have those skills, you will go a long way
to changing people's behavior and ultimately your organization's culture.
No comments:
Post a Comment