By Jason Hoenich on Oct 30, 2017
Look, I need to say this. Most security awareness programs suck.
We need to be honest with ourselves if we are going to affect change... As a passionate expert in the field, I am personally offended at what is happening in our industry.
End users are put through a series of poorly executed, hour-long training modules designed to cover every single aspect of cyber threats out there. We berate them with mass emails shoved into their inboxes telling them to “be vigilant”.
We hang up posters in break rooms and high-five our leadership because we checked another box for the auditors. We require them to “read” our security policies and sign off that they understand the 12 pages of legal verbiage that makes little to no sense, but then we berate them when they do something that violates those policies.
My favorite is that we send them fake phishing emails without telling them, and then make them feel like a genuine idiot when they respond to them.
This is the old school approach to delivering “security awareness”. It is compliance focused and designed from an IT perspective. This is generally the approach that the end user is the idiot, is the problem, is the threat, and can be beaten into submission. It does not work. It ends now.
Security Awareness 2.0
Security Awareness 2.0 upends this model and approach. Security Awareness 2.0 is all about that UX. User experience should be the foundational guiding principle in your security awareness program.
I’ve created programs for some major players - Activision Blizzard, The Walt Disney Company (of which the compliance training I designed featuring Mark Hamill on narration is still getting shoutouts on Twitter), and Sony Pictures Entertainment (post-attack). What I’ve learned from these companies is that you can’t put out junk content and expect users to pay attention.
I couldn’t assign an off-the-shelf training to the discerning minds that were creating experiences like Frozen, Star Wars, Guardians of the Galaxy, or video games like Call of Duty, and Skylanders. I had to step up my game. I realized I had to put the user’s experience first and foremost.
It was at this moment when I realized if you consider how your user will digest what you're putting in front of them - and make it relevant, unique, and intentional - they will listen. They will change their behavior. You will affect culture change.
Do you have an actual program plan? Do you have identified activities for this year, next, and the year after? Do you know where your program will be in maturity in 3 years?
How are you engaging your users? Have you ever done a culture assessment? Would your kids pay attention to your training? WOULD YOU PAY ATTENTION TO YOUR TRAINING?
What engaging stories are you telling? What interesting events are you hosting? How simple is your education & training statements? Do you have a reason for doing what you're doing? Start with why. Why are you sending this email?
Is this the best experience you can provide given your resources? What we're doing is Security Marketing. It's no different than Super Bowl ads, we're just trying to capture attention and change behavior. Or, we can just keep doing what we've been doing and hope for better results.
So. What version of security awareness are you currently running - 1.0 or 2.0?
Hit me up, let's talk about this stuff. I love helping programs make that transition.
Thanks for reading this, if you liked it I would appreciate if you would give it a share on your network...