Endpoint
1/11/2017
10:30 AM
Lance Spitzner
Lance Spitzner
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

The 3 C's Of Security Awareness

Explaining the technical part of security comes easy for many of us. But the soft skills needed to change behavior are often sadly missing.

Over 80% of security awareness professionals have a background in either information security or information technology, according to SANS's 2016 Security Awareness Report. Less than 15% have a background in soft skills such as training, marketing, or communications. The technical part of awareness comes naturally, not so much the softer side of behavior change. 

It's one reason there is an uphill battle when it comes to building comprehensive awareness programs. Because cybersecurity professionals, including awareness leaders, are heavily steeped in technical skills, they understand what behaviors need to be changed but fall short in how they attempt to change those behaviors.

In a previous post, I described the "what" of a good security awareness program — what you should focus on and what makes a program effective. After analyzing scores of awareness program outcomes and working with hundreds of security awareness leaders in 2016, it's clear to me that we need to place a greater emphasis on how to change behavior and how to run a security awareness program in order to make awareness behavior stick.

The soft skills needed to change behavior and deliver key messages are critical to the success of an awareness program, starting with gaining executive-level support all the way to scrapping boring PowerPoint decks in favor of a personal story to better engage employees. To help awareness officers address this in 2017, I have put together the three C's of security awareness program success: communication, collaboration, and culture.

Communication
Ultimately, awareness is about effective communication. First we need to engage people and explain why they should care about cybersecurity. Then we need to communicate what we need them to do in simple terms and be sure people are able to exhibit those behaviors. Too many awareness professionals have been plagued with the curse of knowledge — the condition that happens when experts know something so well that they're terrible at communicating it precisely because they are experts.

Take Action: Fight the curse of knowledge at every turn and devote a percentage of time to improve how you communicate key awareness messages. A great place to start is to talk to your communications department and read the book Made to Stick by Chip and Dan Heath.

Collaboration
Security awareness touches everyone in the organization, so what you communicate and how you communicate to various stakeholders is critical to gain support, buy-in, and behavior change. In addition, establishing a solid program requires a vast number of different skills and coordination with different departments. For that reason, you'll need the ability to partner with various individuals and departments throughout your organization. Examples include working with communications to help engage employees, human resources to better understand your target groups, and legal and audit departments to ensure your program is compliant. The more people you partner with, the greater your chance for success.

Take Action: Create an advisory board made up of people from various departments who can help you build, maintain, and measure your awareness program from the beginning. Explore launching an ambassador program (employees who volunteer to who help promote cybersecurity) that can not only scale your resources but embed awareness throughout the organization.

Culture
Culture is going beyond just behavior and includes the perceptions, attitudes, and beliefs people have toward cybersecurity. Culture, and the process of incorporating emotion, can be a challenge for technical people to grasp. Your existing culture plays a key role in how you communicate and collaborate in your organization, and ultimately your success in changing behavior.

Outgoing cultures such as those found in technology companies often prefer humorous content they can watch and consume on their own schedule, while conservative cultures such as insurance, finance, and government often prefer more subdued or "professional" content and material that people can read or that can be delivered during office hours.

Take Action: Study your culture to understand the organizational values and beliefs that will inform your awareness program planning. Talk to people in your HR department; they often have the best understanding of your organization’s culture and how that may impact your awareness program.

Ultimately, your organization needs to leverage both technical skills and soft, human-centered skills to create a mature awareness program. Most security awareness professionals already understand the technical issues. But by addressing the 3 C's of awareness, either by developing your own skills or bringing in others who have those skills, you will go a long way toward changing behavior and your organization's culture.

Related Content:

 

Lance Spitzner is an internationally recognized leader in the field of cyber threat research and security training and awareness. He sits on the board of the National Cyber Security Alliance and helped develop and implement numerous multi-cultural security awareness programs ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ClaJones
100%
0%
ClaJones,
User Rank: Strategist
1/12/2017 | 4:40:54 PM
One size fits all security training programs rarely work.
You must write/create a security training awareness program to fit your audience.  You and I might appreciate it, but too much technical information will cause those who don't have a firm grasp of these topics, to get glossy eyed and tune out the content.  
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Moderator
1/12/2017 | 4:34:03 PM
CISO/CMO: collaboration for better communications
As mentioned in this article, the key will be for the Security Team/CISO amd CMO/Marketing to collaborate on a communication plan.  From formal communication of an awareness program to highlighting via email security incidents that occurred in the company and how to avoid them. Having the support of the CEO/COO/President is always a plus and help shifting the culture towards security.
kbannan100
50%
50%
kbannan100,
User Rank: Apprentice
1/12/2017 | 2:01:15 PM
Re: a thought...
I agree! For instance, we know that printers are a huge target for hackers. How do you change the user behavior to make sure they are doing what they need to do when printing documents? How do you make sure all of IT is making sure that printers are set up carefully and that new printer purchases take into account the latest security protocols? 

--Karen Bannan for IDG and HP
lspitzner
100%
0%
lspitzner,
User Rank: Author
1/12/2017 | 12:18:26 PM
Re: a thought...
Ryan, I love sharing examples, unfortunately there are limits to what you can fill in a single article.  On of the best examples of seeing all three elements come together are Ambassador Programs, something growing quite fast in the Security Awareness community.  Organizations like Sony, Thomson Reuters and Diageo are outstanding examples.  I'll see if I can have them come on as Guest Bloggers  and share their stories.  
lspitzner
50%
50%
lspitzner,
User Rank: Author
1/12/2017 | 12:10:27 PM
Writing Content
Monica, you are absolutely correct, this is why collaboration is so key.  If you feel you may not be an effective communicator, lack creativity or are not sure how to best 'market' awareness turn to your advisory board.  Build a team to help advise you on how to communicate, how to engage, especially at an emotional level.  That is one of the things I love most about this job, just how much I continue to learn from others. - Lance
RyanH443
100%
0%
RyanH443,
User Rank: Apprentice
1/11/2017 | 11:22:45 AM
a thought...
On point and informative - well done! Including some real life examples would be helpful. :)
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.