Perry Carpenter is lead evangelist for KnowBe4 Inc.supplier of the popular Security Awareness Training & Simulated Phishing platform.
getty
Traditional cybersecurity training and education often relies on creepy emails announcing new policies and “must dos” for employees. That, along with the mandatory annual in-service offers where blurry-eyed employees are forced to peruse a litany of PowerPoint slides packed with charts, graphs, and a mind-numbing array of acronyms and technical terminology few understand. .
And yet IT leaders lament their efforts to onboard employees with cybersecurity awareness efforts, not work.
Provide an employee-centric approach to training and education.
Approaching cybersecurity training and education based on conveying all rules, regulations and policies expressed in IT language is an exercise doomed to fail.
Instead, as with any effective communication effort, these efforts should be approached from the point of view of the target audience, in this case employees.
Think like a marketer.
Effective marketing efforts start with a thorough understanding of the target audience or audiences. What are their demographics: age, gender, etc.? With the employee audience, this demographic also includes the department they work in, length of time at the company, roles, and expectations. Different employee segments require different messages. The IT group will benefit from different reporting than the sales group. However, don’t make the mistake of thinking that IT staff don’t need security awareness – they do.
Security teams need to take steps to understand employees’ current understanding of security messages and where gaps may exist.
And of course, security-conscious marketers need to understand the social and behavioral drivers of employee actions. What is important to them? What motivates them? What are they worried about? You can then create messages to address employees’ pain points or motivators – to give them a reason to act or not, based on what they hear and learn. For example:
• “You are also at risk of cybersecurity breaches in your personal life. Understanding how to protect yourself in your work environment can easily transfer to your home/personal environment.
• “Protecting the company also protects you. Our success is your success and you can play an important role in helping us thwart cybercriminals.”
• “You can earn rewards and opportunities for your efforts.”
Perhaps the organization offers incentives to employees who successfully pass phishing exercises or report suspected phishing. Or, conversely, maybe you offer incentives to those who have recently failed phishing exercises or accidentally clicked on a genuine phishing email and are willing to share their experiences and what they have learned with others.
It takes a village: work with other departments to communicate expectations.
Most IT security professionals have minimal or no background in marketing. That’s why I thought it was folly to let them take full responsibility for communicating with employees about security efforts and expectations. Instead, IT leaders must collaborate with their colleagues in other roles in the organization, such as marketing and HR.
Marketers understand the marketing process and how communication can be used to influence awareness, perceptions and ultimately actions. HR professionals understand the employee population and what is important to them. And they have a lot of experience in communicating with employees.
Working together, these and other organizational leaders can help build and implement a sustainable and effective cybersecurity education and training program.
Prioritize ongoing calls.
Discussions, training and education about cybersecurity and the employee’s role in helping protect corporate systems and data should be ongoing and should include a wide range of communication tools and collateral.
Individual campaigns can run at specific times during the year, but in addition to these campaigns, it is important to communicate about these efforts regularly through materials such as newsletters. Leaders also need to identify opportunities to share information and collect employee input and feedback, such as in company meetings.
Finally, consider making an “elevator pitch” regarding your cybersecurity communications efforts and arm the organization’s leaders with the pitch so that they can continually convey that sentiment to their employees in multiple ways. A few examples:
• “You play a vital role in helping to protect our business, our customers and yourself from cyber threats. What can we do better to help you with that?”
• “Safety requires all of us. Your efforts are more important than any piece of technology we have.”
• “If you see or are concerned about a potential security issue, please report it. Your vigilance makes a big difference – for our company, our customers and for you.”
Security is a journey and a conversation, not a destination and a guideline. Think like a marketer and take steps to segment, understand and effectively connect employees based on: their needs, interests and concerns can help the organization better engage in its cybersecurity efforts.
https://cafe-madrid.com/ Business Council is the leading growth and networking organization for entrepreneurs and leaders. Am I eligible?