Endpoint

1/11/2017
10:30 AM
Lance Spitzner
Lance Spitzner
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

The 3 C's Of Security Awareness

Explaining the technical part of security comes easy for many of us. But the soft skills needed to change behavior are often sadly missing.

Over 80% of security awareness professionals have a background in either information security or information technology, according to SANS's 2016 Security Awareness Report. Less than 15% have a background in soft skills such as training, marketing, or communications. The technical part of awareness comes naturally, not so much the softer side of behavior change. 

It's one reason there is an uphill battle when it comes to building comprehensive awareness programs. Because cybersecurity professionals, including awareness leaders, are heavily steeped in technical skills, they understand what behaviors need to be changed but fall short in how they attempt to change those behaviors.

In a previous post, I described the "what" of a good security awareness program — what you should focus on and what makes a program effective. After analyzing scores of awareness program outcomes and working with hundreds of security awareness leaders in 2016, it's clear to me that we need to place a greater emphasis on how to change behavior and how to run a security awareness program in order to make awareness behavior stick.

The soft skills needed to change behavior and deliver key messages are critical to the success of an awareness program, starting with gaining executive-level support all the way to scrapping boring PowerPoint decks in favor of a personal story to better engage employees. To help awareness officers address this in 2017, I have put together the three C's of security awareness program success: communication, collaboration, and culture.

Communication
Ultimately, awareness is about effective communication. First we need to engage people and explain why they should care about cybersecurity. Then we need to communicate what we need them to do in simple terms and be sure people are able to exhibit those behaviors. Too many awareness professionals have been plagued with the curse of knowledge — the condition that happens when experts know something so well that they're terrible at communicating it precisely because they are experts.

Take Action: Fight the curse of knowledge at every turn and devote a percentage of time to improve how you communicate key awareness messages. A great place to start is to talk to your communications department and read the book Made to Stick by Chip and Dan Heath.

Collaboration
Security awareness touches everyone in the organization, so what you communicate and how you communicate to various stakeholders is critical to gain support, buy-in, and behavior change. In addition, establishing a solid program requires a vast number of different skills and coordination with different departments. For that reason, you'll need the ability to partner with various individuals and departments throughout your organization. Examples include working with communications to help engage employees, human resources to better understand your target groups, and legal and audit departments to ensure your program is compliant. The more people you partner with, the greater your chance for success.

Take Action: Create an advisory board made up of people from various departments who can help you build, maintain, and measure your awareness program from the beginning. Explore launching an ambassador program (employees who volunteer to who help promote cybersecurity) that can not only scale your resources but embed awareness throughout the organization.

Culture
Culture is going beyond just behavior and includes the perceptions, attitudes, and beliefs people have toward cybersecurity. Culture, and the process of incorporating emotion, can be a challenge for technical people to grasp. Your existing culture plays a key role in how you communicate and collaborate in your organization, and ultimately your success in changing behavior.

Outgoing cultures such as those found in technology companies often prefer humorous content they can watch and consume on their own schedule, while conservative cultures such as insurance, finance, and government often prefer more subdued or "professional" content and material that people can read or that can be delivered during office hours.

Take Action: Study your culture to understand the organizational values and beliefs that will inform your awareness program planning. Talk to people in your HR department; they often have the best understanding of your organization’s culture and how that may impact your awareness program.

Ultimately, your organization needs to leverage both technical skills and soft, human-centered skills to create a mature awareness program. Most security awareness professionals already understand the technical issues. But by addressing the 3 C's of awareness, either by developing your own skills or bringing in others who have those skills, you will go a long way toward changing behavior and your organization's culture.

Related Content:

 

Lance Spitzner is an internationally recognized leader in the field of cyber threat research and security training and awareness. He sits on the board of the National Cyber Security Alliance and helped develop and implement numerous multi-cultural security awareness programs ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ClaJones
100%
0%
ClaJones,
User Rank: Strategist
1/12/2017 | 4:40:54 PM
One size fits all security training programs rarely work.
You must write/create a security training awareness program to fit your audience.  You and I might appreciate it, but too much technical information will cause those who don't have a firm grasp of these topics, to get glossy eyed and tune out the content.  
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
1/12/2017 | 4:34:03 PM
CISO/CMO: collaboration for better communications
As mentioned in this article, the key will be for the Security Team/CISO amd CMO/Marketing to collaborate on a communication plan.  From formal communication of an awareness program to highlighting via email security incidents that occurred in the company and how to avoid them. Having the support of the CEO/COO/President is always a plus and help shifting the culture towards security.
kbannan100
50%
50%
kbannan100,
User Rank: Moderator
1/12/2017 | 2:01:15 PM
Re: a thought...
I agree! For instance, we know that printers are a huge target for hackers. How do you change the user behavior to make sure they are doing what they need to do when printing documents? How do you make sure all of IT is making sure that printers are set up carefully and that new printer purchases take into account the latest security protocols? 

--Karen Bannan for IDG and HP
lspitzner
100%
0%
lspitzner,
User Rank: Author
1/12/2017 | 12:18:26 PM
Re: a thought...
Ryan, I love sharing examples, unfortunately there are limits to what you can fill in a single article.  On of the best examples of seeing all three elements come together are Ambassador Programs, something growing quite fast in the Security Awareness community.  Organizations like Sony, Thomson Reuters and Diageo are outstanding examples.  I'll see if I can have them come on as Guest Bloggers  and share their stories.  
lspitzner
50%
50%
lspitzner,
User Rank: Author
1/12/2017 | 12:10:27 PM
Writing Content
Monica, you are absolutely correct, this is why collaboration is so key.  If you feel you may not be an effective communicator, lack creativity or are not sure how to best 'market' awareness turn to your advisory board.  Build a team to help advise you on how to communicate, how to engage, especially at an emotional level.  That is one of the things I love most about this job, just how much I continue to learn from others. - Lance
Ryanology
100%
0%
Ryanology,
User Rank: Apprentice
1/11/2017 | 11:22:45 AM
a thought...
On point and informative - well done! Including some real life examples would be helpful. :)
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.