CISOs must empower users and expand cyber security awareness training to the entire organization

After nearly 20 years in the security awareness business, one truth hasn’t wavered: Cyber security awareness starts and ends with every single person in an organization.

Cyber security awareness is everyone’s business.

As security continues to grow in importance and becomes more key to business success, CISOs are being tasked with cross-functional leadership responsibilities to ensure the alignment of business objectives with IT and security strategies, and to manage risk rather than simply deploying tactical security technologies. While CISOs are responsible for setting the enterprise vision, strategy, and programs to protect information assets, they must also influence the entire organization and reduce human risk one person at a time.

The people in an organization are its number one asset, but they are also its biggest vulnerability. I read a study where 40 percent of employees admitted to clicking a link or opening an attachment from an unrecognized sender. That’s a human action! And it’s exactly what the cyber criminals who deploy phishing, vishing or SMiShing attacks want you to do – click links or open attachments which allow them to install malware on your system and steal sensitive, private data.

As long as there are regulations to meet and cyber criminals continue to target people with phishing attacks or other social engineering tactics, CISOs need to implement a people-centric cyber security awareness program and apply a human fix to the human risk.

5 steps to expand your cyber security awareness program

Security Awareness FrameworkCISOs are aware that security awareness programs are the only real way to instill behavior change and battle human risk. The recent TechTarget IT Priorities survey revealed that end-user security awareness training is a top priority for businesses in 2019.

But not all security awareness programs are created equal. Although it’s difficult to change someone’s behavior, there are tried and true ways to instill learning for long-term behavior change. Successful cyber security awareness programs incorporate a comprehensive and ongoing methodological approach takes into consideration your organization’s specific needs and objectives.

Terranova Security has been partnering with CISOs and security awareness leaders globally to change employee behavior and make teams more security aware since 2003. Our team of chief information security officers, security subject matter experts, behavioral scientists, educators and software engineers have been using a proven five-step framework to help Terranova Security clients understand what motivates an employee to learn, select the right security awareness tools to meet their training objectives and assess the outcomes of their security awareness programs.

We’ve seen so much success with the security awareness 5-step framework. My recently published cyber security book, The human fix to human risk, provides insight into what it takes to mastermind a security awareness program by leveraging best practices, case studies and worksheets. The book takes security awareness leaders through the details of how to implement the following five steps:

Step 1 - Analyze

Analyze. The “Analyze” step in the framework is essential to any security awareness program no matter how big or small your organization. A thorough analysis of the situation will give you all the information you need to build your security awareness plan with a solid foundation for success. And nowhere is it clearer that a people-centric approach to security awareness is the right route to take than in the analysis phase. Nearly every category in this step touches on people. Whether you’re identifying the target audience or assessing motivation, a focus on the people – your employees – is critical.

Step 2 - Plan

Plan. With the analysis and assessment complete, you are now ready to plan your security awareness program. Planning allows you to anticipate and address roadblocks, stay aligned with your objectives, stick to your timelines and budget and, ultimately, be more assured of success. If you simply dive into building a security awareness program hoping for the best, your outcomes will be hit and miss, and you will probably fall short of what you expected to accomplish. During the planning process, you will make decisions in these six areas: Team, Roadmap, Product, KPIs and Metrics, Communications and Program Presentation.

Step 3 - Deploy

Deploy. There are three phases in any security awareness campaign: Test, Launch and Reinforce. Testing is critical and should be accounted for in the planning process. Testing helps avoid a fast failure of an entire security awareness program. Think about it – if you sit down to devote the time to your training module and it fails to function properly, or your course credit isn’t registered when completed, how likely are you to want to try again? Testing will flag any technical issues and it will validate the flow and customization of content. Testing also will improve your probability of success. With successful testing completed, it’s now Launch time. As you deploy your campaign, clarity of communication is very important. It helps ensure everyone knows what to do and helps to keep campaign momentum. Reinforcing the campaign with additional communications tools beyond email helps to keep security awareness top of mind, helping employees retain what they’ve learned and drive continued behavior change.

Step 4 - Measure

Measure. Measuring performance, participant satisfaction and compliance will allow you to identify areas where your program needs to be improved. In this step you will gather data to measure progress according to your predefined metrics (see Plan); track progress to effectively manage your campaigns and program; and report progress by communicating information about campaign performance to departments across your organization and demonstrating adherence to compliance requirements.

Step 5 - Optimize

Optimize. One of the most significant benefits of measuring performance, participant satisfaction and compliance is you will have the context to identify areas for improvement and start developing an action plan to address them. You many find places to improve in a specific campaign or in your overall program.


The Human Fix to Human Risk at Gartner Security & Risk Management Summit 2019

Terranova Security will be at the Gartner Security & Risk Management Summit 2019 at National Harbor, MD June 17-20. I invite all CISOs and security awareness leaders to attend my session on Tuesday, June 18 at 1:15 pm in Theatre 1 where I will be presenting and answering questions about the security awareness 5-step framework. I also look forward to meeting you at the Terranova Security booth 416 where I will be signing copies of my book The Human Fix to Human Risk.

The Human Fix to Human Risk eBookI’ll close this with a final thought: It’s been said that people change their behavior when the pain of staying the same becomes greater than the pain of changing. That’s not an option when it comes to cyber security. You don’t want to reach the painful point of suffering a data breach before your employees change their behavior. Download today and mastermind your security awareness program.



Lise Lapointe

Lise Lapointe
CEO and Author

Connect on LinkedIn