Two CISOs meet for coffee.
Tom and Sally work as CISOs in different organizations. Sally asks about the recent cybersecurity awareness convention.
“How was it?”
Tom carefully sips his hot drink, then immediately wipes the milk foam off his upper lip. “I’ve learned the most valuable lesson today,” he answers.
“Great,” says Sally, inquisitively. “What was it?”
“Well, you know when you were working so hard at launching a truly engaging Information Security Awareness campaign for your end users in management, and you wanted to create positive hype in your organization?” responds Tom. “Well, ultimately, the only thing you need to remember is that if all else fails, you could resort to fear and punishment.”
Let’s face it. Your information security awareness campaign is as engaging as the effervescence that emanates from your workforce. As CISO, you are responsible for both creating and fueling excitement toward cybersecurity. Understanding the motivations that drive end users to participate in training is vital to the effective implementation of your security awareness campaign. So, how does one motivate participants?
According to Theo Zafirakos, CISO at Terranova, we generate strong engagement by getting to know the demographics for our campaign. Who are we addressing?
Zafirakos provides four key elements:
- Understand the culture of the organization and its workforce
- Test end users’ existing skill sets and knowledge about information security awareness
- Show how information security training brings value to participants’ lives
- Provide the right incentives for good behavior.
Positioning our campaign vis-à-vis our target audience and acknowledging the strengths and vulnerabilities of the participants allows CISOs to effectively gage their campaign and achieve a greater level of behavioral change.
Getting Your People on Board
The conversation between Sally and Tom – though mainly fulfilling a comic purpose – reveals an important aspect of raising security awareness: negative reinforcement, including punitive measures, do not strengthen best practices for information security. According to Zafirakos, appropriate behavior conditioning occurs through positive motivation. He highlights that Raising Security Awareness Effectively is about people, less about technology. And effective engagement takes place when all players in the organization are involved in the campaign. Participants feel compelled to take part. We start by testing users’ skills by launching impromptu phishing simulation exercises. Then, after carefully analyzing results, we reach out to HR, Marketing, Team Leaders, Upper Management and map out a thorough campaign – complete with bells and whistles.
This is where we get our audience involved. We use all media channels at our disposal to get the message out there: “information security awareness has arrived, and you are a key player in this learning opportunity.” We make sure that training content is adapted to our audience’s acquired knowledge so that they may push the learning envelope further. We name security ambassadors within the workforce so that each team has a direct go-to person representing the campaign. We mention security success stories on a regular basis and make sure to acknowledge the users who have been applying best practices in their routine at work. Although an awareness campaign is initially intended to ensure the organization’s cyber safety, it also benefits the participants since many learned concepts can be translated into daily life. The campaign is about the organization. More importantly, the campaign is about training users who will later benefit the overall organization through best practices.
“As it affects all employees in an organization, time and support are required – to participate in learning activities. Users will still make mistakes, even with proper training, but it takes one user to do the right thing and prevent a breach,” says Zafirakos.
Terranova is currently launching its new course Raising Security Awareness Effectively, a comprehensive and innovative course which inspires CISOs to implement engaging security awareness programs and campaigns within their organization. This course sheds light on participant engagement and how to strengthen motivation within the workforce.