National Cyber Security Awareness Month (NCSAM) is a big deal. Occurring every October, NCSAM started life as an American effort and has grown into a worldwide phenomenon. In this webinar, founders Jason Hoenich and Chad Loder use real-world knowledge to discuss how to use NCSAM to engage coworkers and create unique experiences.

Their expert advice is delivered with Habitu8’s usual irreverence and humor. Jason begins by saying, “October is a free license to annoy your user about security awareness.” For some reason they briefly discuss terrifying amusement park rides.

A post-webinar download offers detailed notes. Its description of the planning phases can serve as a template for your own action plan. Stages include:

  • Phase 1: Pre-Planning Goals (May-June)
  • Phase 2: Planning Goals (June-July)
  • Phase 3: Execution Goals (August-September)
  • Phase 4: October Goals (October)
  • Phase 5: Closeout Goals (November)

Start Early

If you take away only one message from this webinar, it’s start early. Officially, planning begins in June/July, but Jason confesses that he actually starts thinking about NCSAM in May/June. There are a lot of reasons for this, including:

  • Securing resources and buy-in from stakeholders. This is critical because your budget may be limited. Also, early buy-in builds buzz within the company about upcoming events.
  • Celebrities and FBI agents are popular speakers and in demand during October. Schedule yours now.
  • Avoiding conflicts with other corporate programs. Is October also employee benefits month? Don’t overwhelm people with too much information.
  • Securing quality swag and videos takes time. It’s better to use nothing at all than use bad swag and boring videos.
  • Gives Legal plenty of time to check your efforts.

Plan Before You Plan

You will note that Phase 1 is a pre-planning stage. Official planning takes place in Phase 2, when stakeholders get involved.

It is strongly recommend that you have a prepared plan before the first meeting with stakeholders. Maybe the stakeholders will like it, and maybe they won’t. Using their feedback to revise a plan is a lot easier than trying to come up with one from scratch at a kickoff meeting.

Do your brainstorming before. You don’t want a bunch of folks from communications, IT, etc., staring blankly when you ask them, “What do you think we should do?”

Pick One or Two Themes

Besides getting a late start, another big mistake is overwhelming people with too much information. As Chad says, “I’d rather have people remember two things than be exposed to twenty things and not remember any of them.”

The themes should fit the goals of the company’s security awareness program. While themes are determined in the pre-planning stage, they can be modified with stakeholder feedback. Also, real-world events, such as a hack, can cause last-minute changes.

Don’t Forget the Metrics!

Metrics prove effectiveness and justify your job. If you have good metrics from last year’s NCSAM activities, it will be easier to get support for this year.

Q&A: Helpful Hints

In addition to providing an outline for an action plan, the webinar has practical advice. Some tips are discussed in the Q&A section below:

How do you get buy-in?

Having a plan in place shows confidence. It says, “I know what I am doing, and I have a vision.” People can buy in when they can see the plan and understand the methods to the madness.

How do you maintain momentum? Interest tends to fall off.

  1. Over-recruit resources by 30%. Assuming that there will be attrition, over-recruiting makes sure you get what you need.
  2. Stage recurring meetings. Early in the year, meet once a month. By July, meet twice monthly. Frequent meetings make sure that there is always some activity going on, and they let you know who is still involved.

Does NCSAM preload themes? Do you align with their themes?

You may prefer “custom” NCSAM activities, but companies with low resources might want to tap into what NCSAM offers. NCSAM puts a lot of energy into guidance, but one downside is that they change themes every week (i.e., too much information). Use traditional methods of communication, but in different ways. If you share videos in a lot of emails, change it up, and stage a live event. Be careful not to over-communicate by sending too many emails.

Do videos cause viewers to space out?

Don’t use bad videos. Also, don’t overlook the power of a live experience. A group can bond by watching a funny video together.

Watch the webinar video here.
Don't forget to download the notes with a template for a detailed action plan!


security awareness plan template