While security awareness does not signify understanding or equate to behavior, done right, it may lead to action. That only happens with a carefully designed and properly executed program.
The right elements create the environment for individual realization (see: the proper understanding of awareness) and the desire to learn more (see: how awareness leads to…).
The good news is that other disciplines and areas of life provide rich, successful examples of how to do this. Consider the centuries-old tradition of yoga.
The core of my yoga practice is in a studio, under the watchful eye of certified and experienced yoga teachers. The purpose of the space is to learn and practice yoga. In fact, they often remind us it's not called yoga perfection, but practice.
As a model for designing a successful security awareness program, consider three key elements:
A safe space to learn, explore, and growsafe place to practice. The expectation and intention when I arrive is that I am there to learn.
The bulk of my experience comes on the mat, in the studio. It is a
I know it is a place where I can push and try new things. A place where it's okay to fall (literally).
No one in the space is judging me. I’m not risking my livelihood or the embarrassment of my peers.
Security awareness needs the same construct: a safe place where people are allowed to realize impacts independent of work. Without the risk of embarrassment or negative career impact. A place (physical and/or virtual) where new experiences lead to realizations.
Trained, prepared, and present teachers
Yoga instructors, on average, must complete over 200 hours of training before they are allowed to teach a course. Most undertake the process after several years of personal practice. This means most have thousands of hours of practice -- and understanding -- of yoga, and training in how to teach others.
In my practice, I know I have several experienced guides contributing to my growth and success.
This is a big opportunity for security awareness -- and broader. Teachers qualified in both security and in teaching play a vital role in cultivating awareness, and then guiding the actions that come as a result.
Movements are explained, demonstrated, and adjusted
In scheduled practice, yoga poses, sequences, and concepts are explained and demonstrated. Often, the steps are broken into smaller parts, each building on the previous.
As individuals begin their practice, they are supported, watched, and adjusted -- in appropriate and supportive ways.
Sure, I check out some videos on yoga to learn the finer points of some poses. I read articles about yoga. Sometimes it helps improve my practice. And sometimes it just confuses me.
The most growth for me happens on the mat, in the studio. I get to ask questions in real time. Someone with qualified experience -- in both yoga and teaching -- is able to observe and guide me.
We need the same in security. It's not about telling people things.
Security awareness isn't a content problem. Sending information by email, pasting posters, or creating presentations is not the same as experiencing a concept.
It's the experience that creates a connection to the impact. The spark that creates understanding. The catalyst for individuals with awareness to seek more.
Successful security awareness includes demonstrations with clear explanations. It must provide options and guide participants through their own practice to reach their own realizations.
There is one final consideration, too.
The process is patient
Our bodies shift and change.
In yoga, what works one day may not be available to us the next. More... just because I did it once, doesn’t mean I’ll necessarily do it again. And some poses -- just like some skills in security -- really take a while to understand. Some will take years to understand and master. Others may never really be available to me. In all cases, that’s okay when it comes to my practice. Over time, however, I progress.
Security awareness is the same way. Situations and context shifts. What works in one situation may not work in another. The key is designing and approach that helps individuals forge a mindful, personal practice.
Over time, individuals improve.
Our job: design security awareness for individual realizations
Successful security awareness designs the experience for individuals to come to their own realizations. In a safe space. Preferably guided by others that are skilled not only in security, but in communicating and leading others to the answers and outcomes they need.
We can achieve this outcome with a proper understanding of awareness and designing the entire experience for individual success.