Groans can be heard office-wide every time IT rolls out its annual cybersecurity awareness training initiative. And it’s not just employees who dread it — often, executives and business leaders alike just want to check their compliance box and get it over with.
This fresh approach involves an important cultural shift, enterprise-wide — from executives and tech leaders to end users and stakeholders — to create long-term behavioral changes. That’s right… behavioral changes. That’s because disinterest in your cybersecurity program is often not something a shiny, new training module or managerial guilt-trip can fix.
Push Deep Understanding, Not Fear
Many organizations take a singular approach to their security initiatives. Their tactic of choice? Scaring leadership and employees into participating in cybersecurity training and vigilance.
“Awareness without understanding can create a culture of risk aversion and panic,” Forrester’s How To Manage The Human Risk In Cybersecurity report explains. This fear can incite anxiety and frustration. They’re either ultra-focused on avoiding reprimand or bitter or apathetic about what they perceive as an over exaggeration of the threat landscape, The Wall Street Journal reported.
Instead of punishing or shaming your team for failing phishing simulations or similarly exercises within your training module, use analytics to see where they’re falling short and uncover why. Then, provide the tools and resources they need to improve while rewarding them for their progress in learning. Remember to celebrate the small achievements and advocate your team as your strongest asset, not your biggest weakness.
Provide your team with tips that are both relevant to their home life as well as office life and remember to “rebrand security as a business enabler instead of a business nuisance,” Forrester reminds us, “so that employees are more receptive to security policies and can protect their business, themselves, and their families.”
Engage Both their Hearts and their Minds
In order to interest your team, you’ll need to stretch beyond the conventional curriculum and get them truly excited about learning. One method for doing so has been growing in popularity: experiential learning. It’s all about creating an experience of learning by doing, or “showing (and participating) rather than telling. During these actionable activities, your trainees are creating connections! “Without creating a connection, no amount of training will change their behavior for the long term,” Forrester concludes.
With today’s heavy security fatigue and your team’s limited attention spans and busy workdays, it’s more important than ever to activate creativity and stimulate them behind that computer chair and beyond.
Know Your Success Metrics
Too many enterprises conduct cybersecurity awareness training out of obligation, caring little about the actual results(other than if the teams pass their training, of course). By measuring your teams’ individual progress, you can appropriately reward your employees for their effort and make improvements to your security program.
Whether it’s celebrating each department's training “passing” with a little office party or paying out a small bonus for an enterprise social engineering testing campaign that hits a X% reduction in fake phishing fails, clearly identify and push meaningful metrics to measure your initiative's success. Without them, how will you know if your training is working? The truth is— you won’t.
It’s clear that enterprises with strong security cultures educate, enable and excite their team in a way unlike your everyday boring training program.
It’s no secret how. They do this by pushing both personal and business cybersafe and advocate their team as digital heroes — never villainizing their greatest assets. Curious to learn more about managing human risk in cybersecurity? Download the Forrester 2021 report here.
By Denmark Francisco