Perry Carpenter is Chief Evangelist for KnowBe4 Inc. , provider of the popular Security Awareness Training & Simulated Phishing platform.
Traditional cybersecurity training and education efforts often rely on scary emails announcing new policies and "must dos" for employees. That, along with the obligatory annual in-service offerings where bleary-eyed employees are forced to sit through a litany of PowerPoint slides filled with charts, graphs and a mind-numbing array of acronyms and tech terminology that few understand.
And yet somehow IT leaders lament their efforts to get employees on board with cybersecurity awareness efforts aren't working.
Take an employee-centric approach to training and education.
Approaching cybersecurity training and education based on conveying all rules, regulations and policies expressed in IT language is an exercise destined to fail.
Instead, as with any effective communication endeavor, these efforts should be approached from the target audience's point of view—in this case employees.
Think like a marketer.
Effective marketing efforts start with a thorough understanding of the target audience or audiences. What are their demographics: age, sex, etc.? With employee audiences, these demographics will also include the department they work in, length of time with the company, roles and expectations. Different employee segments will require different messaging. The IT group will benefit from different messaging than the sales group. Don't make the mistake, though, of believing IT employees don't need security awareness—they do.
Security teams should take steps to understand employees' current comprehension of security messaging and where gaps may exist.
And, of course, security awareness marketers need to understand the social and behavioral drivers of employee actions. What's important to them? What motivates them? What are they concerned about? You can then create messaging to address employees' pain points or motivators—to give them some reason to act, or not act, based on what they hear and learn. For instance:
• "You're also at risk of cybersecurity breaches in your personal lives. Understanding how to protect yourself in your work environment can readily transfer to your home/personal environment."
• "Protecting the company protects you too. Our success is your success, and you can play an important role in helping us to thwart cybercriminals."
• "You can earn rewards and opportunities for your efforts."
Maybe the organization offers incentives to employees who successfully pass phishing exercises or report suspected phish. Or, conversely, maybe you offer incentives to those who have recently failed phishing exercises or accidently clicked on a real phishing email and who are willing to share their experiences and what they learned with others.
It takes a village: Partner with other departments to communicate expectations.
Most IT security pros have minimal or no background in marketing. Consequently, I've found it's folly to allow them to assume full responsibility for communicating with employees about security efforts and expectations. Instead, IT leaders should partner with their peers in other roles in the organization such as marketing and HR.
Marketers understand the marketing process and how communications can be used to impact awareness, perceptions and, ultimately, actions. HR professionals understand the employee population and what's important to them. And they have plenty of experience communicating with employees.
Working together, these and other organizational leaders can help to build and implement a sustainable and effective cybersecurity education and training program.
Prioritize ongoing conversations.
Conversations, training and education about cybersecurity and the employee's role in helping to protect company systems and data must be ongoing and should incorporate a wide array of communication tools and collateral.
Individual campaigns may be undertaken at specific times during the year, but in addition to those campaigns, it's important to communicate frequently about these efforts through materials like newsletters. Leaders should also identify opportunities to share information and gather employee input and feedback, such as in company meetings.
Finally, consider creating an "elevator pitch" related to your cybersecurity communication efforts and arm organizational leaders with the pitch so they can continually convey that sentiment to their employees in multiple ways. Some examples:
• "You play a critical role in helping to protect our company, customers—and yourself—from cyber threats. What can we do better to help you do that?"
• "Security requires all of us. Your efforts are more important than any piece of tech we have in place."
• "When you see or are concerned about a potential security issue, report it. Your vigilance makes a big difference—to our company, our customers and to you."
Security is a journey and a conversation, not a destination and a directive. Thinking like a marketer and taking steps to segment, understand and effectively connect with employees based on their needs, interests and concerns can help to better engage the organization in its cybersecurity efforts.
- Comedy Night; Think Like An Engineer: Events Near Imperial Beach
- Comedy Night; Think Like An Engineer: Events Near La Mesa
- If you get GDP growth of 5%, 15% EPS growth likely: Raj Sharma, Merrill Lynch
- Stock market bulls have gone off the rails. Again
- 'Stay invested! Demand for mid and small caps is likely to improve in 2020'
- Markets may return 15-20% this year in line with earnings growth: Rahul Chadha, Mirae Asset
- Berlin market attack rocks locals' sense of security
- Wall Street week ahead: Investors bet emerging markets will weather coronavirus impact
- World markets themes for the week ahead
- Losses coming down by almost half in OYO's Indian market: Rohit Kapoor
- Goldman Sachs warns of stock market correction
- 'Minor correction is possible where market may retrace itself to 12,000'
- These 7 sectors likely to remain immune to coronavirus jitters
- macOS not as safe from cyber attacks as you think; less successful in tackling adware, malware in comparison to Windows
- 'Every pore on my body opened': British victim describes what it's like to have coronavirus as he's treated in Japan after catching virus on infection-riddled ship the Diamond Princess as two other passengers DIE
- British couple stuck onboard cruise ship in Japan for 11 days ask Richard Branson to fly them back to Britain in a special plane to finish their quarantine at home
- Your WhatsApp groups may not be as private as you think they are, expert warns
- Channel 4 employee is escorted by medics in hazmat suits from broadcaster's London headquarters and whisked for coronavirus test after feeling unwell when he returned from a holiday to China
- Democrats, think twice before you bet on a billionaire of your own
- Amazon’s first employee thinks the company is scary-big
Think Like A Marketer To Onboard Employees With Cybersecurity have 1108 words, post on www.forbes.com at October 3, 2022. This is cached page on Business News. If you want remove this page, please contact us.