Over 80% of security awareness professionals have a background in either information security or information technology, according to SANS's 2016 Security Awareness Report. Less than 15% have a background in soft skills such as training, marketing, or communications. The technical part of awareness comes naturally, not so much the softer side of behavior change.
It's one reason there is an uphill battle when it comes to building comprehensive awareness programs. Because cybersecurity professionals, including awareness leaders, are heavily steeped in technical skills, they understand what behaviors need to be changed but fall short in how they attempt to change those behaviors.
In a previous post, I described the "what" of a good security awareness program — what you should focus on and what makes a program effective. After analyzing scores of awareness program outcomes and working with hundreds of security awareness leaders in 2016, it's clear to me that we need to place a greater emphasis on how to change behavior and how to run a security awareness program in order to make awareness behavior stick.
The soft skills needed to change behavior and deliver key messages are critical to the success of an awareness program, starting with gaining executive-level support all the way to scrapping boring PowerPoint decks in favor of a personal story to better engage employees. To help awareness officers address this in 2017, I have put together the three C's of security awareness program success: communication, collaboration, and culture.
Ultimately, awareness is about effective communication. First we need to engage people and explain why they should care about cybersecurity. Then we need to communicate what we need them to do in simple terms and be sure people are able to exhibit those behaviors. Too many awareness professionals have been plagued with the curse of knowledge — the condition that happens when experts know something so well that they're terrible at communicating it precisely because they are experts.
Take Action: Fight the curse of knowledge at every turn and devote a percentage of time to improve how you communicate key awareness messages. A great place to start is to talk to your communications department and read the book Made to Stick by Chip and Dan Heath.
Security awareness touches everyone in the organization, so what you communicate and how you communicate to various stakeholders is critical to gain support, buy-in, and behavior change. In addition, establishing a solid program requires a vast number of different skills and coordination with different departments. For that reason, you'll need the ability to partner with various individuals and departments throughout your organization. Examples include working with communications to help engage employees, human resources to better understand your target groups, and legal and audit departments to ensure your program is compliant. The more people you partner with, the greater your chance for success.
Take Action: Create an advisory board made up of people from various departments who can help you build, maintain, and measure your awareness program from the beginning. Explore launching an ambassador program (employees who volunteer to who help promote cybersecurity) that can not only scale your resources but embed awareness throughout the organization.
Culture is going beyond just behavior and includes the perceptions, attitudes, and beliefs people have toward cybersecurity. Culture, and the process of incorporating emotion, can be a challenge for technical people to grasp. Your existing culture plays a key role in how you communicate and collaborate in your organization, and ultimately your success in changing behavior.
Outgoing cultures such as those found in technology companies often prefer humorous content they can watch and consume on their own schedule, while conservative cultures such as insurance, finance, and government often prefer more subdued or "professional" content and material that people can read or that can be delivered during office hours.
Take Action: Study your culture to understand the organizational values and beliefs that will inform your awareness program planning. Talk to people in your HR department; they often have the best understanding of your organization’s culture and how that may impact your awareness program.
Ultimately, your organization needs to leverage both technical skills and soft, human-centered skills to create a mature awareness program. Most security awareness professionals already understand the technical issues. But by addressing the 3 C's of awareness, either by developing your own skills or bringing in others who have those skills, you will go a long way toward changing behavior and your organization's culture.
Lance Spitzner is an internationally recognized leader in the field of cyber threat research and security training and awareness. He sits on the board of the National Cyber Security Alliance and helped develop and implement numerous multi-cultural security awareness programs ... View Full Bio