Florida Blue takes security awareness personally

Teaching employees about security may work best when you start with their personal concerns.

By Douglas B. Robison, Florida Blue, a 2014 CSO40 award recipient

I love my job.

I discovered this a few weeks ago on the way to a meeting when I was stopped by a former colleague of mine in the hall. She told me that earlier in the week, after leaving her daughter’s school play, she discovered she’d lost her smartphone. While she was dismayed at having to replace it, she wasn’t too distraught. Why? Because she’d followed our advice at a personal information security session and protected her information with a password. I felt like I made a small difference.

The question may be asked though - how does making an employee aware of how she could protect her smartphone and her personal sensitive information within it improve the security of our corporate information assets?

It has to do with who she is as an adult and how she and the rest of our employees learn.

At Florida Blue, we made the decision to update our awareness program from the standard annual CBT and a few published articles on our corporate Intranet. At the start of 2013, we committed to a mission focused on delivering meaningful, measurable, and sustainable awareness campaigns, events, and educational activities to develop and maintain a culture of personal and corporate security. To achieve this, our focus shifted and then centered on who our people are and how they learn.

One of the ways adults approach learning is to ask the question, “What’s in it for me?” Adult learners seek relevancy. In order to make information security relevant, we needed to apply the WIFM principle, i.e, “What’s In It For Me?” Obviously, employees have a stake when it comes to understanding policies, information classifications, and the “thou shall’s” and the “thou shall not’s” such as not putting a sticky note with your password underneath the keyboard. However, to educate our employees about risks, threats and vulnerabilities, we decided to bring it closer to home, quite literally.

The Personal is Professional

In the second quarter of 2013, our team launched the “I said ‘Know’” campaign. The goals of this campaign were to first educate our employees on personal information security and then, secondarily, bridge that information to enterprise information security. By making the content relevant to their personal lives, we believed we could convey the messages and change those behaviors which better protected personal information assets (and subsequently corporate information assets).

The first push within our “I said ‘Know’” campaign was with our Security Ambassadors. This effort involved sending one of our security experts to attend employee staff meetings and discuss one of our topics, such as “Securing Your Home PC,” “Securing Your Smartphone,” or “Protecting Your Kids Online.”

After a few weeks, we were swamped. We did not expect to receive such a level of interest so quickly, and what we discovered early on was that there was an unsatisfied appetite amongst our employees. Our session survey results confirmed this desire amongst our employees.

The second major deliverable in our campaign was our fourth quarter event, the Florida Blue Security Summit. It was conducted over two days at our corporate conference center where external security experts were invited to conduct individual breakout sessions on a host of personal security topics as well as providing an expo where our vendors offered and promoted their security solutions to our employees. Again, the response was overwhelming as indicated by our post summit survey results.

At this point in early 2014, we feel we have achieved our first goal, which was to make information security relevant. Now comes the bigger challenge, which is to begin the process of changing behaviors and finding a way to empirically show this. We believe this is attainable because of the relationships we have built, the credibility we have earned, and the trust we have fostered. These benefits were realized because we made the information security education relevant to the lives of employees both at work and at home.

Whether you accept that awareness plays a role in the security chain, and we would argue it absolutely does, when you make the commitment to awareness, your success will depend on the methods and approaches you employ. A fairly obvious statement, yes; however, your level of commitment will drive what you deliver.

If the decision is to demonstrably increase the better behaviors and reduce the poor ones which impact the security chain, then awareness becomes more than the name implies. Your awareness program becomes about education; to educate adults, you need to understand how they learn. One way they learn is through providing adults with pertinent and applicable knowledge.

We know our work is not finished and we have a long way to go, but we are pleased with the success so far. Plus, on a personal level, it started a love affair with my job.

~~~~

Douglas B. Robison is the program manager for the Security Education Program at Florida Blue. Doug has over 20 years of experience in learning and performance management and has served in numerous IT roles including his current duty as a security analyst.

Florida Blue is a 2014 recipient of the CSO40 award, presented to 40 organizations for their security projects and initiatives that demonstrate outstanding business value and thought leadership.  CSO40 winning organizations will be recognized — and many will be presenting their projects — at the CSO40 Security Confab + Awards event, to be hosted by CSO March 31-April 2.  Florida Blue will be presenting on April 1.  

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.