The Five Secrets to Making Security Awareness Work in 2018


So, it is the start of a new year and you are hoping to do great things with your security awareness and training program. You have a desire to move beyond simple ‘box checking’ and to actually change hearts, minds and behavior patterns. You know that it is the right thing to do for your organization and are looking forward to seeing the positive results. The sticking point, however, is that – like most organizations – you probably don’t exactly know how you are going to make it happen.

My hope with this article is to help you begin the process of creating a solid plan and foundation that will enable you to achieve a game changing level of security awareness and behavior transformation. With that goal in mind, here are the five secrets that I use to best position security awareness leaders for success:

Secret 1: Have a vision of what ‘good’ looks like for your organization

The key to implementing this secret is implementing a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go. Especially in large global organizations, I recommend conducting a series of interviews or quick surveys to understand how different divisions and divisional leaders view security, understand policy and best practices, and what they truly hold important. It is always interesting to see the differences and similarities that this process can help uncover. It also helps you understand if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.

With this background knowledge, you can begin to create your goals for the year. For this, I like the SMARTER goal setting framework proposed by several productivity gurus. There are a few different versions of the SMARTER framework—I use the Michael Hyatt version.

Secret 2: View Awareness through the lens of organizational culture. I’ll be writing about this more in the coming months. But here is the big idea: your security culture is – and will always be – a subcomponent of your larger organizational culture. In other words, your organizational culture will ‘win out’ over your security awareness goals every time unless you are able to weave security-based thinking and values into the fabric of your overarching organizational culture.

Remember the survey and interviews that I mentioned at the start of the first secret. This where you’ll really get an idea of any organizational culture gaps that you need to account for. When you find these gaps, you’ll have a few choices: 1) modify your awareness program’s expectations and goals based on the identified gap, 2) work with organizational leaders to see how you can help influence the larger culture, or 3) a hybrid approach where you modify some goals while also doing the work of trying to influence the larger culture.

Of these, option 1 is clearly the easiest – but has very little reward associated with it; it’s the ‘safe’ route. Options 2 and 3 will involve more work, politicking, and likely a bit of frustration, but offer the greatest long-term benefit for the organization and for you. This is also where you can begin to leverage things like security champion/liaison programs to help infuse security-related values throughout the organization to create consistency and sustainability.

Secret 3: Leverage behavior management principles to help shape good security hygiene. Your awareness program shouldn’t focus only on information delivery. There are plenty of things that most of us are aware of – but we just don’t care about those things. Because of this, if the underlying motivation for your program is to reduce the overall risk of human-related security incidents in your organization, you need to incorporate behavior management practices. Most of my thinking about behavior management is heavily influenced by the research by BJ Fogg, who heads-up the Persuasion Tech Lab at Stanford University. Fogg’s research has influenced technology companies around the world who seek to create engaging experiences for their users and drive specific behaviors. His behavior model and work around habit creation is located here (http://ift.tt/xeX01O) and here (http://tinyhabits.com/).

I realize that most readers won’t have time to dig into the deeper details of behavior management and create their own unique programs. Don’t lose heart! Simulated phishing platforms distill some of the fundamentals of behavior management into an easy to deploy platform that allows you to send simulated social engineering attacks to your users and then immediately initiate corrective and rehabilitative action if the user falls victim for the simulated attack. Do this frequently, and you will see dramatic behavior change!

Secret 4: Focus on understanding the different personalities, drivers, and learning styles within your organization. (This goes back to the Specific and Relevant attributes of the SMARTER framework I referenced). It is critically important to understand your overall organizational context, the different types of people within the organization, regional contexts, divisional and departmental contexts, and so on. This not only helps you tailor content that will best speak to each of the groups, but can also help you avoid stepping on potential landmines.

Secret 5: Be realistic about what is achievable in the short term and optimistic about the long-term payoff

So here is where the rubber meets the road. You’ve got all of the planning out of the way, created goals, understand the nuances of your organization, and are focusing on creating real, sustainable change. Now it’s time to get started and to commit to perseverance. Many aspects of your program will be spaced throughout the year, and so it is important to commit to being consistent with your efforts. The beginning is just that – the beginning. You are focusing on training an entire organization; and that sometimes means training people how to be trained!

But here’s good news, the data show that you can see dramatic behavior change in as little as 90 days if you follow a best practice of combining security awareness content (e.g. computer-based learning modules) with frequent simulated phishing testing conducted at least monthly. In a recent study, we looked at the progress of more than six million accounts across nearly 11,000 organizations over a 12 month timeframe. Organizations that followed the best practice that I just mentioned saw their employee’s Phish-prone percentage drop by 50% in just 90 days – from a 27% baseline Phish-prone percentage down to 13.3%. And consistent training brought that down even more dramatically at the 12 month mark… from that initial 27% baseline all the way to 2%.

Are you ready to make 2018 a break-out year for your security awareness program?

About the author: Perry Carpenter is the Chief Evangelist and Strategy Officer for KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform.

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "http://ift.tt/2DMAo6m"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more