Last month we kicked off a blog series on the 4 W's in building an effective awareness program. We explained that to effectively manage human risk organizations need to answer four key questions; WHY, WHO, WHAT and HOW. Today we focus on the last question - HOW.
Ultimately HOW is about communication. To change behavior we have to effectively communicate to people WHY its important to them and WHAT you want them to do. Unfortunately, that is something our community is not very good it. People with highly technical backgrounds tend to not make good communicators. In fact, the security profession is often taught communication is bad - loose lips sink ships. However, based on the 2015 Security Awareness Report over 90% of security awareness officers have highly-technical backgrounds like IT admin, webmaster, security analysts or webmaster. The very people in charge of communicating security are often the ones least qualified to do it.
Fortunately, there are solutions. The first is as geeks we can step out of our comfort zone and develop communication skills. One of the best places to start is the book Making It Stick, an outstanding primer on effective communications and engagement. Numerous awareness officers swear by it. A second option is find others who have the communication skills your security program needs, people often in departments such as communications, human resources, marketing, public relations or even sales. Bring one of these individuals onto your team and have them help you craft how you will communicate to your organization.
Once you have the resources/skills you need to communicate you are ready to put together your HOW plan. First thing to remember is that communication is a continuous process. Training people once a year may work for auditors but it will not change behavior. The more often you reinforce key points, the more likely you will change behavior. In fact, this is why in the WHAT step we spent a great deal of effort prioritizing on a few key topics. The fewer topics you focus on, the more you can reinforce them and more likely change key behaviors.
Second, WHO are you communicating too? Think of security awareness as a product you are trying to sell, we need to understand our customer. Things like nationality, culture, and generation all pay a big role in how people want to learn, how you can most effectively communicate to them. In many cases you will have to use multiple communication methods to best reach everyone. Also, a trend I'm seeing is organizations migrating from a push methods to a pull method of communication. Push represents traditional communication methods, such as email or scheduling a lunch-n-learn. The challenge is people a very busy. The pull method adapts to peoples' schedule, such as Computer Based Training, video blogs, podcasts, newsletters, or social media. People can consume these materials when its convenient for them, making it more likely you will engage them. HOW is where I often see most awareness programs fail. Take the time to learn how you can most effectively communicate to and engage your employees and you will see a huge impact . Trust me, your employees will appreciate it.
To learn more about building high-impact awareness programs, join us for the two-day course MGT433: Securing The Human.