Terranova is proud to be a part of RSA Conference 2018, taking place April 16-20 in San Francisco, CA. Come talk security awareness with our team at booth N5105! We look forward chatting with you and learning about your security awareness initiatives.
Our expertise consists of bridging the gap between information security and awareness – an inseparable pair – so that your business and employees thrive as cybersecurity champions.
During your visit, grab a pair of trendy socks to add some extra sharpness to your attire – as you step into the scene of cybersecurity awareness.
Without awareness, there’s no security. They’re an inseparable pair!
The following article explores the true meaning of ‘raising awareness’ in the field of information security. Awareness has everything to do with changing human behavior – particularly in the case of information security awareness.
Let’s dive right in, shall we?
The field of information security has grown exponentially within the last decade, and consequently, has become a key focus area for organizations worldwide. Since sensitive data is readily available in digitized formats and cybercrime stubbornly adapts to even the most sophisticated of security technologies, information security needs something more.
That ‘something more’ has everything to do with humans
For a long time, we’ve been relying on technology to stand as the ultimate protector of personal and confidential data, disregarding the security standing of humans and their potential to become strong defenders of information security. Patches and firewalls do their part, but they only take us so far. Ultimately, organizations of the 21st century must turn toward their employees for much-needed reinforcement. And as they do, awareness works as the mechanism to achieve such empowerment.
Because … without awareness, information security simply cannot be
Anchoring your campaign in a behavioral framework
This calls for a complete awareness strategy that is designed to accomplish true behavior change in the workforce as well as help transform business cultures little by little to reflect the values and practices underscoring information security awareness. True awareness calls for action. According to authors and communication specialists Ann Christiano and Annie Neimand, in an article featured in the Spring 2017 issue of Stanford Social Innovation Review, awareness campaigns need to inspire learners to know more about a particular subject; however, more importantly, they must lead learners to carry out concrete actions, in real life. They write,
[We] need to use behavioral science to craft campaigns that use messaging and concrete calls to action that get people to change how they feel, think, or act, and as a result, create long-lasting change. (Christiano and Neimand, 2017)
This implies that raising awareness must be paired with the appropriate framework and the right cohort of project managers to guide the actual campaign deployment. It should also be accompanied by the right learning system and methods as well as effective communication strategies – including video, audio, visuals, and online media.
Mobilize your troops for optimal security awareness
When it comes to information security awareness, it’s all hands on deck. This signifies that you will undoubtedly want to mobilize the right people and use the right tools. Assemble your troops early in the process as you analyze organizational metrics and plan for your next security awareness campaigns. Schedule meetings and develop action plans with human resources, corporate executives, managers, and IT. Get departments to work holistically. Delegate tasks by department – depending on their respective areas of expertise – and get them to work together on the common goal. This creates a sense of belonging and solidifies the overall message of your security awareness campaign – as multiple groups are working in unison, a collective effort.
Corporate leaders, too, have a role to play in raising security awareness. They lead by example. Your target audience is more likely to internalize the desired behavior when it notices that its very own executives act according to core principles in security awareness. Leaders are the messengers for your campaign as they represent authority and trust within your organization:
Who is influential in a community is tied to whom people trust for information. And whom people trust is very much connected to how people see themselves, their values, and the identities. Social psychology tells us that if a call to action asks someone to do, believe, or represent something that runs counter to how they see themselves […] then they are not going to even entertain the idea. (Christiano and Neimand, 2017)
An interesting way to achieve the desired mobilization is by communicating early and often. A series of presentations – catered to upper management, synthesizing the objectives, results, and benefits associated to an effective security awareness program – is an interesting way to adequately inform the decision makers of your organization and rally senior managers to participate in the joint effort.
The right communication strategy for your target audience
Raising awareness about information security must spark debate within the workforce. Engage audiences so that they question the status quo of their behavior and learn to acquire and carry out new best practices, reinforcing both privacy and security awareness. You must know your audience. To whom are you speaking? What is their initial understanding of information security awareness? Your awareness campaign will depend on these metrics, and so will your communication strategy and learning content.
You can have top-notch content. Nonetheless, if you aren’t adequately distributing its key messages, you will not be able to achieve results. Therefore, your security awareness provider should be your partner, guiding you throughout the many steps of implementation; ensuring that the vision of your organization shines through each campaign; and offering innovative content, followed by concrete actions.
Raising awareness represents an immersive collaboration between your information security provider, your organization, and your audience. Your communication strategy must be aligned with all three and serve as a megaphone for your campaign. Choose a security awareness partner that understands the importance of launching the right communication strategy for your audience.
If awareness is about people … then security awareness training is about people too
Understanding that your awareness campaign is about people – their values and roles – implies that you’ve already mastered the first part of raising awareness for information security. The second part of the equation consists of developing a comprehensive training curriculum – an action plan – that draws upon the various roles and responsibilities of each audience. Role-based training that is interactive and customizable provides the space for learners to thrive as it offers relevant and identifiable content that has been adapted to the professional reality of each job function and worker. Learners learn by doing.
For example, the General Data Protection Regulation (GDPR) is an excellent occasion to deploy role-based training with the aim to achieve compliance. As the EU regulation posits that every organization processing the personal data of EU residents – regardless of geographical location – must comply to its provisions, it is thus vital that every employee undergoes the best possible training regarding privacy and compliance.
Consequently, when selecting your solution for compliance training, look for a provider who offers role-based training as to guarantee an interactive and relatable learner experience. You’ll optimize your overall security awareness campaign AND increase knowledge retention among end users.
***
Terranova will be present at the upcoming RSA Conference 2018, San Francisco and looks forward to meeting you.
Going to the event? Come find us at booth N5105. We’re discussing the human element of information security awareness and the importance of role-based learning in GDPR training and compliance.
Let’s talk about your security awareness program, and how we can work together to boost its success in creating a lasting security culture within your organization.
Our expertise consists of bridging the gap between information security and awareness – an inseparable pair – so that your business and employees thrive as cybersecurity champions.