My first 100 Days as CMO at Terranova Security
I have been a tech marketer throughout my 20+ year career. My guiding principle to which I hold myself personally on the hook for is: Help technology buyers and influencers select technology that will help solve a problem, bring value to the business and propel the organization closer to its corporate objectives while delivering an amazing customer experience.
The buyer’s journey for technology decision makers and their teams typically consists of three stages where they search for and rely on current, relevant and accurate information to help their organizations: Stage 1: Awareness (business problem is identified within the organization), Stage 2: Consideration (technology can help solve the business problem and the team looks for options) and Stage 3: Decision (set of technology partners selected to help solve the business problem and the team must select best option). This is no different for CISOs and the security awareness teams responsible to protect their organizations from cyber attacks and make their organizations secure and safer online. Not an easy task for security professionals as cyber attacks are growing in sophistication and security breaches are increasing quickly in numbers as well as in cost.
I joined Terranova Security 100 days ago and the focus for my team and I is to support CISOs and security teams with compelling, unique offers and actionable content to support them along each stage of the buyer’s journey. We are developing and providing content that is: created with the customer in mind, reflects their voice, addresses the unique challenges faced by CISOs and presents them with possible solutions and guidance. We are committed to listening to their signals and making recommendations with the next best action.
Here is the CISO cyber security awareness journey we mapped out during that first meeting in our office in Montreal this past summer and we continue to evolve it with CISOs and security professionals in mind and their cyber security awareness success at heart.
CISOs face a business problem: Humans are the weakest link in cyber security – Stage 1: Awareness
Cyber security attacks are on the rise and human error, not technology, continues to be the primary risk factor. 90% of cyberattacks can be traced back to human error. According to Gartner, people influence security more than technology or policy, and cybercriminals know how to exploit human behaviors. Security and risk management leaders must invest in tools that increase awareness and influence behavior that supports business objectives through computer-based training.1
It’s important to understand that behavioral change takes time, and cannot be treated as a tick-box compliance exercise. In order to reduce the human risk and develop a security culture, motivation is key to changing human behavior.
The following resources are available for CISOs and security professionals to learn more about Motivating employees and changing behavior, Achieving a security state of mind and the three success factors for long-term behavioral change for security awareness.
CISOs Need to Mastermind an Effective Security Awareness Program that Reduces Human Risk – Stage 2: Consideration
Deploying a security awareness program across an organization is a complex effort. To change behavior and build a security culture, CISOs must treat security awareness like an ongoing program carefully planned based on the organization’s specific needs and objectives. An evidence-based framework should be applied and will become the blueprint or game plan for an impactful security awareness program.
Security Awareness 5-Step Framework
Step 1 | Analyze
Start your proper analysis by taking a closer look at your organization and its culture. There are 9 main areas you should focus on for data gathering including program goals, compliance requirements and target audiences.
Step 2 | Plan
Make decisions focused on 6 key elements to ensure program success. You will need to focus on identifying your security awareness team and communication plan.
Step 3 | Deploy
You should always deploy your campaigns in three phases. Learn more about how to properly test, launch and reinforce.
Step 4 | Measure
We provide you with recommendations on security awareness metrics that should be measured.
Step 5 | Optimize
Finally some guidance on how to optimize your security awareness program and which metrics are most important to making changes and improvements
To help CISOs put the 5-step framework into practice, we created a CISO security awareness toolkit with some of the industry’s most unique offers:
To build a strong security culture within an organization, it is key to understand the security awareness program maturity level. The assessment will provide insight on how each organization:
- Scores in security awareness program maturity – is your organization reactive, proactive or optimized?
- Ranks compared to other organizations and identifies areas of strength / opportunities for improvement
- Can apply recommendations based on maturity level, needs and objectives
CISOs have been conducting awareness programs for years and realize that “the devil is in the details” when building a successful program. Initial attempts to get an awareness program started are usually done by trial and error- but this hit-and-miss approach is often ineffective or frustrating. During the webcast, CISOs will learn how the proven Security Awareness 5-Step Framework is leveraged by organizations globally to raise security awareness effectively. The framework incorporates several tried and true techniques for changing human behavior and built on five essential steps: Analyze/Plan/Deploy/Measure/Optimize
The Cyber Security Awareness book provides CISOs with step-by-step guidance on how to develop an effective security awareness program that enhances security behaviors.
CISOs Checklist – Selecting Short List of Cyber Security Awareness Partners – Stage 3: Decision
To help CISOs identify their selection set or short list of cyber security awareness partners, we have created the CISO checklist to help identify the most comprehensive cyber security awareness offering and that includes Security Awareness Training, Phishing Simulation Platform, Compliance and Privacy including GDPR Awareness Training− supported by a security awareness 5-step framework which provides an evidence-based, step by step approach for a successful security awareness program with measurable impact.
There are 5 people-centric elements that will help drive cyber security awareness success within an organization. The common thread across the five elements is that a security awareness program must focus on the needs of your specific organization and your users / employees.
CISO Checklist to help select the right Cyber Security Awareness Partner:
- Consultative approach combining strong cyber security expertise and ability to apply knowledge and meet your organization’s specific needs with:
- CISO Coaching and Security Awareness Program Workshop
- Experience in Behavioral psychology and eLearning – expertise in how to ensure your security awareness program is set up to motivate your users and drive behavioral change
- Personalized Business Case – to help you make the business case and secure budget for the program
- Dedicated Project Manager – you should have access to a dedicated project manager throughout your program for continuous support and guidance
- Power of personalization to ensure that all the components of the program are tailored to your users
- Evidence-based framework to provide a blueprint for your security awareness program
- Security Awareness Management Platform with automation and ease of use to support your program administrators build courses and deploy phishing simulations and content to users. Learn how automation allows your organization to scale regardless of your team’s size as well as deliver multiple impactful programs throughout the year. The administrator will also be able to measure and report on results.
- Flexible delivery models depending on your internal resources and level of expertise including security awareness as a managed service
- All Delivery Models should be supported by a consultative approach including CISO Coaching, Dedicated Project Manager and Personalized Training
We are committed to helping CISOs and their teams keep all organizations cybersafe & sound. We’ll continue to bring to market relevant content and resources to help build a security culture, make users the strongest link and part of the cybersecurity defense strategy.
- Gartner Magic Quadrant for Security Awareness Computer-Based Training, Joanna Huisman, 13 November 2018.