Security Awareness Programs Like Mushy Overnight Oats?

To diagnose your under-performing cyber security awareness programs, all you need to do is look at my breakfast today. My daughter introduced me to overnight oats. “It’s the perfect breakfast, Dad – full of energy, takes no time at all, packed with simple, healthy ingredients like oatmeal, almond milk and peanut butter”, she said. “That’s what I need!”, I said, “All of the power with none of the fuss”. So I took her recipe and promptly ignored it. I added cottage cheese, chia and some lemon – because if it was already good, I was going to  make it even better.

What I got was curdled mush that crawled out of the bowl like John Cusack’s dinner in Better off Dead. The theory of overnight oats was brilliant. It was my execution that made me gag.

Many security awareness programs choke on their own ingredients because, like my overnight oats, they don’t follow a recipe when they plan the program. The have no overarching security “end” in mind at the beginning, to paraphrase Stephen Covey. Empowering the human element of cyber security is the cultural ingredient that many organizations overlook. Think about tweaking your recipe a bit to make it more than palatable.

A Recipe for Effective Security Awareness Programs

One byproduct of serving as the opening keynote speaker for hundreds of security awareness programs around the world (in addition to the bottomless pit of mileage points I’ve earned), is that I have dined amidst training programs, OVER and OVER again, that leave me hungering for more substance and lots more flavor. Here is my simple recipe for a filling, enjoyable and effective Security Awareness Program:

Ingredients (For a Culture of Security that Cooks):

  • (1-3) C-Level Executive(s) who “Believe” (Ownership)
  • (1) Cross-Functional Business Case w/ Compelling ROI (Strategy)
  • High-Engagement Content Rooted in Personal Security (Methodology)
  • (6-12) Regular, Engaging Follow-on “Snacks” (Sustenance)
  • (1) Feedback Dashboard to Measure “Diner” Response (Metrics)

Ownership. Failing to have a highly-communicative Chief Executive leading your initiative is like expecting a 3-Star Michelin rating from a fast-food cook. You must have high-level “buy-in” for your program to work. I’m not talking about the CISO, CRO, CIO or CTO here – that would just be preaching to the choir. The missing cook in awareness programs tends to be a security “believer” from the executive team. Successful security awareness programs are clearly led, repeatedly broadcast and constantly emphasized from the top of the organization, all with an attitude of authenticity and immediacy. Whether served up by your CEO at an annual gathering or by your Board of Directors to kick off National Cyber Security Awareness Month, your security champion must become an evangelist for defending your data.

Strategy. Don’t expect to randomly add security ingredients to the bowl and blindly hope they mix well together. You’ll just end up with curdled oatmeal. Approach your program strategically, and devise a recipe to protect your intellectual property, critical data and return on information assets. You are competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in techno-babble. What did it cost your competitor when ransomware froze their operation for a week? How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company $47 million? What do the owners of  compliance, HR and I.T. have to add to the meal? The most successful security awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology. Here is a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings and they want to know how this affects them personally before they willingly invest time to protect the corporate coffers. Excellent security awareness kicks off by making data protection personal – by building ownership before education. From there, the training must be engaging (dare I say fun!?) and interactive (live social-engineering) so that your audience members pay attention and apply what they learn. Death-By-PowerPoint slides will permanently put behavioral change to sleep. Highly-effective programs build a foundational security reflex (proactive skepticism), and are interesting enough to compete against cute puppy videos, smartphone farm games and our undying desire for a conference-room cat nap.

Sustenance. Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss. But that is only the beginning of the meal. From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we have found short, funny, casual video tips on the latest cyber threats to be highly effective. And lunch workshops on protecting personal devices. And incentive programs for safe behavior. And so on. Culture matures by feeding it consistently.

Measurement.If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s dining budget. What are your Security Awareness Training KPIs, your key metrics? How did successful phishing attacks decline as a byproduct of your program? Has user awareness of threats, policy and solutions increased? How many employees showed up for the Cyber Security Awareness Month keynote and fair? How department-specific are your training modules – or does one size fit all? When you can show quantitative progress, you will have the backing to continue building your qualitative culture of security.

And now, back to the meal. In spite of the lemon juice that further curdled the cottage cheese and ruined my oats, I was still hungry, so I ended up choking them down, vowing to listen to my daughter next time. And I hope you will listen to me this time: Approach your security awareness program like you are planning a feast for guests who matter a great deal to you. Because your uneducated employees, unprotected customer data, and invaluable intellectual capital are exactly what cybercriminals are eating for breakfast.

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.

John Sileo loves his role as a keynote “energizer” for Cyber Security Awareness Programs. He specializes in making security fun, so that it sticks. His clients include the Pentagon, Schwab and some organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime.

5 Ways to Doom Your Next Cyber Security Summit (Cyber Security Speakers Like Ambien)

Have you ever snored through a cyber security speaker’s presentation, despite being caffeinated, sugared up and subjected to convention-strength air-conditioning? So imagine what it’s like for audience members who desperately need high-level background on data protection (so that their organization doesn’t become the next Target), but don’t have a technical bone in their body.

Many cyber-security awareness events are studded with brilliant techies full of amazingly useful ideas who have a minor problem communicating their genius. And if your audience members don’t listen, don’t understand, don’t care–then there is little hope of changing their risky data-security habits. Attendee boredom is a meeting planner’s nightmare, an IT department’s budget-buster and an organization’s fast track to data breach.

But your event doesn’t have to be this way. Avoid the 5 Ways and your team will become the silent hero of your next conference.

5 Ways to Doom Your Next Cyber Security Summit

  1. Sacrifice all entertainment at the alter of content. Because data security is a serious topic, meeting planners for cyber security events are often pressured to pack too much content into too little time, leaving attendees overwhelmed, undereducated and cranky. Solution: For your keynote and general sessions, hire cyber security speakers that deliver relevant content packaged in an entertaining and memorable style. That way, you are eating your cake and having it too. Conferences that balance relevant content with effective engagement get the most BANG! for their buck.
  2. Hire experts who talk AT your audience, not with them. Let’s face it, the traditional (talking head) keynote is dead. If your cyber security speakers and experts don’t interact with your audiences, they will lose them after the first 140 characters. Attention spans are short and attendees have Angry Birds to distract them, so you must entice them to listen on multiple levels. Solution: The best conference managers I’ve encountered make attendees part of the conversation by using tools like conference hash tags (#brilliant), social media follow-up discussions and by hiring interactive speakers that make the audience part of their presentation.
  3. Demoralize your attendees with techno-babble. Here is a secret: technical types like geek-speak because it makes them look smart and provides job security (who’s going to fire the guy that knows how to eliminate the Heartbleed Bug?). But that doesn’t work at conferences full of non-technical employees, managers and executives. In fact, it doesn’t even work with techies, because everyone is listening with a different level of ability. Solution: Look for experts able to express complex and technical ideas in simple ways that can be consumed and understood by ALL levels. For breakouts and deep dives, feel free to get as technical as the audience needs, but design your general sessions with everyone in mind.
  4. Save money by bringing in only “industry experts”. A common substitute word for “industry experts” is “vendors”. And the purpose of vendors is TO SELL PRODUCTS (to your audience). Vendors are a crucial component to the financial health of your event, but there is a better way to honor them. Solution: Have your vendors sponsor the keynote speakers that will make their product (and your conference) shine by association. Give their brand some exposure during the presentation so that your speaker doesn’t become a salesperson. Utilize vendors and “member experts” to fill in breakout sessions, panels and socializing events.
  5. Make it all about the organization. Conferences are often designed around getting employees to change their behavior “for the good of the company”. The problem is, we humans are somewhat selfish by nature and tend to ask what’s in it for us. It’s a neon red flag if your cyber security speakers teach in terms of policies and regulations, compliance and legal mumbo jumbo. Solution: Connect with your attendees by providing clear evidence on how they are affected personally by data protection. Once they “get it”, it’s easy to expand that security mindset into the workplace. Make security personal before you expect it to be applied professionally.

I have seen a number of cyber security speakers that rock the stage and end up making the meeting organizers the quiet heroes of the conference. Don’t settle for boring when you have an opportunity to make your event amazing.

If you are looking for cyber security speaker who will not only keep your audience awake with entertaining content, but who has spoken at the Pentagon, appeared on Rachael Ray and recently taken up Stand Up Paddle-boarding, get in touch with John directly on 800.258.8076.

“I’ve never learned so much I was doing wrong and had so much fun doing it!”  

– Fortune 500 CEO on John Sileo’s Cyber Security Secrets for Non-Geeks keynote