Posts

How to Turbocharge your Cybersecurity Awareness Training

Security awareness training can’t be a boring afterthought if it’s going to work. 

Own it. Secure it. Protect it. 

Those are the key themes for this year’s National Cybersecurity Awareness Month, coming up in October, and it’s good advice. Unfortunately, it’s the same message your trainees have been hearing for years and, at this point, they’ve largely tuned it out.

The challenge isn’t creating a pithy slogan. It’s turning advice into action and an enduring “culture of security.” At this point, cybersecurity is on the radar for most companies, and the smart ones make it a priority. To achieve their cybersecurity goals, many organizations implement cybersecurity awareness training sessions, which seek to educate the rank and file on threats and how to thwart them. When done well, these initiatives can be a way to focus the entire organization — and can greatly reduce the risk of data breach, cyberextortion or damaging disinformation campaigns.

When not done well, you’ll be lucky if your team remembers the words cybersecurity awareness as they shuffle out the door — no doubt refreshed after scrolling through Facebook or watching the latest Taylor Swift video.

The problem is that many security programs are actually less than the sum of their parts for the simple reason that they don’t have an overarching end goal. Sure, the objective is to educate your team on emerging threats so your company is more secure, but that’s a nebulous goal. And because it’s a nebulous goal lacking tangible motivation, your team doesn’t buy in. 

That’s not to say they don’t care about the company’s security. Of course they do — but it’s not personal. 

Unfortunately, when it comes to cybersecurity in the corporate sector, the human element is usually overlooked. This is a mistake. I often hear companies refer to humans as the “weakest link” in cybersecurity, which of course becomes a self-fulfilling prophecy. Enlightened organizations understand that security is a highly effective competitive differentiator (think Apple) and that humans, when properly trained, are the strongest defense against cyberthreats. Consequently, an effective program must start by getting people — from the top down — invested in the goal and the process. 

I’ve been the opening keynote speaker for hundreds of security awareness programs around the world, many of them outside the bounds of National Cybersecurity Awareness Month, and most of them leave me hungering for more: More engagement, more interaction and more actionable information. In short, more substance. 

Here are a few tips for designing a cybersecurity awareness program that will engage your team and get results.

Ownership

Don’t focus on the CISO, CRO, CIO or CTO. That would just be preaching to the choir. The missing but crucial link in cybersecurity awareness programs tends to be a security “believer” from the executive team or board of directors. Successful programs are clearly led, repeatedly broadcast and constantly emphasized from the very top of the organization — with an attitude of authenticity and immediacy. Whether it’s your CEO at an annual gathering or a board member kicking off National Cybersecurity Awareness Month, your security champion must not only become an evangelist but also have the authority and budget to implement change.

Strategy

Approach your program strategically, and devise a plan to protect your intellectual property, critical data and return on information assets. You’re competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in technobabble. 

  • What did it cost your competitor when ransomware froze its operation for a week? (e.g., FedEx: $300 million)
  • How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company millions of dollars? 
  • What do the directors of compliance, HR and IT have to add to the defense equation? 

The most successful cybersecurity awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology

Here’s a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings, and they want to know how this affects them personally before they invest time to protect the organization’s coffers. 

Excellent security awareness kicks off by making data protection personal — building ownership before education. From there, the training must be engaging (dare I say fun?) and interactive (live social engineering) so your audience members pay attention and apply what they learn. Death-by-PowerPoint will put behavioral change to sleep permanently. Highly effective programs build a foundational security reflex (proactive skepticism) and are interesting enough to compete against cute puppy videos and our undying desire for a conference-room snooze.

Sustenance

Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss — but that’s only the beginning. 

From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we’ve found short, funny, casual video tips on the latest cyberthreats to be highly effective (once your team takes ownership for their own data, and yours). Then, add lunch workshops on protecting personal devices, incentive programs for safe behavior, and so on. Culture matures by feeding it consistently.

Measurement

If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s training budget. Here are a few questions I ask when facilitating board retreats on cybersecurity: 

  • What are your cybersecurity awareness training KPIs, your key metrics? 
  • How did successful phishing or social engineering attacks decline as a byproduct of your program? 
  • Has user awareness of threats, policy and solutions increased? 
  • How many employees showed up for the Cybersecurity Awareness Month keynote and fair? 
  • Do your events help employees protect their own data as well?
  • How department-specific are your training modules? 

When you can show quantitative progress, you’ll have the backing to continue building your qualitative culture of security.

Over the long term, a culture of security that reinvents itself as cyberthreats evolve will be far less costly than a disastrous cybercrime that lands your company on the front page. National Cybersecurity Awareness Month is a great catalyst to get your organization thinking about its cybersecurity strategy. Now it’s time to take action.


About Cybersecurity Author & Expert John Sileo

John Sileo is an award-winning author and Hall of Fame Speaker who specializes in providing security awareness training that’s as entertaining as it is educational. John energizes conferences, corporate trainings and main-stage events by interacting with the audience throughout his presentations. His clients include the Pentagon, Schwab and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

Security Awareness Programs Like Mushy Overnight Oats?

To diagnose your under-performing cyber security awareness programs, all you need to do is look at my breakfast today. My daughter introduced me to overnight oats. “It’s the perfect breakfast, Dad – full of energy, takes no time at all, packed with simple, healthy ingredients like oatmeal, almond milk and peanut butter”, she said. “That’s what I need!”, I said, “All of the power with none of the fuss”. So I took her recipe and promptly ignored it. I added cottage cheese, chia and some lemon – because if it was already good, I was going to  make it even better.

What I got was curdled mush that crawled out of the bowl like John Cusack’s dinner in Better off Dead. The theory of overnight oats was brilliant. It was my execution that made me gag.

Many security awareness programs choke on their own ingredients because, like my overnight oats, they don’t follow a recipe when they plan the program. The have no overarching security “end” in mind at the beginning, to paraphrase Stephen Covey. Empowering the human element of cyber security is the cultural ingredient that many organizations overlook. Think about tweaking your recipe a bit to make it more than palatable.

A Recipe for Effective Security Awareness Programs

One byproduct of serving as the opening keynote speaker for hundreds of security awareness programs around the world (in addition to the bottomless pit of mileage points I’ve earned), is that I have dined amidst training programs, OVER and OVER again, that leave me hungering for more substance and lots more flavor. Here is my simple recipe for a filling, enjoyable and effective Security Awareness Program:

Ingredients (For a Culture of Security that Cooks):

  • (1-3) C-Level Executive(s) who “Believe” (Ownership)
  • (1) Cross-Functional Business Case w/ Compelling ROI (Strategy)
  • High-Engagement Content Rooted in Personal Security (Methodology)
  • (6-12) Regular, Engaging Follow-on “Snacks” (Sustenance)
  • (1) Feedback Dashboard to Measure “Diner” Response (Metrics)

Ownership. Failing to have a highly-communicative Chief Executive leading your initiative is like expecting a 3-Star Michelin rating from a fast-food cook. You must have high-level “buy-in” for your program to work. I’m not talking about the CISO, CRO, CIO or CTO here – that would just be preaching to the choir. The missing cook in awareness programs tends to be a security “believer” from the executive team. Successful security awareness programs are clearly led, repeatedly broadcast and constantly emphasized from the top of the organization, all with an attitude of authenticity and immediacy. Whether served up by your CEO at an annual gathering or by your Board of Directors to kick off National Cyber Security Awareness Month, your security champion must become an evangelist for defending your data.

Strategy. Don’t expect to randomly add security ingredients to the bowl and blindly hope they mix well together. You’ll just end up with curdled oatmeal. Approach your program strategically, and devise a recipe to protect your intellectual property, critical data and return on information assets. You are competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in techno-babble. What did it cost your competitor when ransomware froze their operation for a week? How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company $47 million? What do the owners of  compliance, HR and I.T. have to add to the meal? The most successful security awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology. Here is a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings and they want to know how this affects them personally before they willingly invest time to protect the corporate coffers. Excellent security awareness kicks off by making data protection personal – by building ownership before education. From there, the training must be engaging (dare I say fun!?) and interactive (live social-engineering) so that your audience members pay attention and apply what they learn. Death-By-PowerPoint slides will permanently put behavioral change to sleep. Highly-effective programs build a foundational security reflex (proactive skepticism), and are interesting enough to compete against cute puppy videos, smartphone farm games and our undying desire for a conference-room cat nap.

Sustenance. Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss. But that is only the beginning of the meal. From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we have found short, funny, casual video tips on the latest cyber threats to be highly effective. And lunch workshops on protecting personal devices. And incentive programs for safe behavior. And so on. Culture matures by feeding it consistently.

Measurement.If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s dining budget. What are your Security Awareness Training KPIs, your key metrics? How did successful phishing attacks decline as a byproduct of your program? Has user awareness of threats, policy and solutions increased? How many employees showed up for the Cyber Security Awareness Month keynote and fair? How department-specific are your training modules – or does one size fit all? When you can show quantitative progress, you will have the backing to continue building your qualitative culture of security.

And now, back to the meal. In spite of the lemon juice that further curdled the cottage cheese and ruined my oats, I was still hungry, so I ended up choking them down, vowing to listen to my daughter next time. And I hope you will listen to me this time: Approach your security awareness program like you are planning a feast for guests who matter a great deal to you. Because your uneducated employees, unprotected customer data, and invaluable intellectual capital are exactly what cybercriminals are eating for breakfast.

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.


John Sileo loves his role as a keynote “energizer” for Cyber Security Awareness Programs. He specializes in making security fun, so that it sticks. His clients include the Pentagon, Schwab and some organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime.