5 mistakes I’ve made (and how to avoid them)

Pulling from his years of building programs for The Walt Disney Company & Sony Pictures, Jason shares his own mistakes building security awareness and provides guidance on how to avoid them in your own security awareness programs.

Missed target arrows bullseye
Thinkstock

“It began as a mistake.” –Charles Bukowski, Post Office.

This is probably one of my favorite opening sentences of all time, and perfectly details my affair with security awareness (and I’d guess a lot of my peers as well…).

I’ve built some really fun, really impactful awareness programs for companies like Disney, Sony Pictures, and Activision Blizzard. And you know what? I’ve made a lot of mistakes.

Here are some of them, and what I learned…

1. Trying to turn my employees into “human sensors"

I fell into the industry buzzword trap and started believing that I could program my coworkers like they were an application or SIEM device. I started explaining to them that in addition to their already busy roles and responsibilities (be that finance, HR, IT, marketing, production, whatever), they were also "sensors" for cybersecurity protection.

I had bought into the negative image that users were stupid common in the InfoSec & IT space. “You can’t fix stupid” being one of my all-time favorite statements to despise.

You can’t fix stupid, perhaps, but you can better architect your networks and write better policies that align with how your coworkers actually do their work.

I started pushing back on leadership and IT teams, suggesting that if we didn’t want users to re-use passwords or use easy-to-guess ones, then why do we make it an option?

2. Pushing the company agenda

When I first got into security awareness, I was rather submissive with my approach. I allowed leadership to define what security awareness was, instead of educating them about the potential power of it and how to harness it.

What I should have been doing was pushing the security awareness agenda to my leadership. Getting them excited about the multi-layered approach that would affect behavior change.

3. Not building a community and using guides

A community is so obvious, I’m embarrassed it took me as long as it did to realize this. Had I paid attention to what was going on within my company culture, I would have seen all the sub-communities existing, thriving, and driving the success of the company.  

How quick are we to filter unknown senders and delete emails from people we don’t know? Yet so many times we insist on sending mass emails to our users from accounts they’ve never heard of.

The concept of ambassador programs has been around for a long time, the most successful example would be floor wardens for fire escape & safety programs.  A few key volunteers guide their coworkers during an emergency evacuation (and fire drills) to safety.

For me, the most obvious  “guide” was the executive administrative support for each department. So, I started talking with them. I listened and pitched my idea of wanting to provide simple, usable cyber tips with users and they loved it. They wanted to help. Whatever I needed all I had to do was ask.

Every time I had a request to send a mass email to the entire company, I activated my network. My readership went sky high. My community grew. My culture changed.

4. Focusing on the wrong metrics

Man, I was the king of this for a long time. I was constantly searching for that magic dashboard metric that would make my CISO sing my name to the masses.

My top three metric missteps?

  • Phishing training click rate. The problem with focusing on the click rate is that it does not tell the whole story accurately. For instance, was there external news influencing response, heavy vacation/holiday time, etc. Instead, focus on the report rate, which reflects real behavior change.
  • Newsletter/email read rate. This was the saddest metric in my arsenal. Everyone felt awkward when I talked about it. This was only highlighting my lack of ability to create engaging content and tell stories. Instead, we focused on intranet site traffic to sp ecific pages/resources after a campaign was launched (perhaps for a video of the month, or security awareness event like a speaker).
  • Annual training completion rate. While this is mandatory for most compliance reasons, it doesn’t really mean anything other than how effectively you could annoy and follow up with users who didn’t complete it. I opted to start tracking secondary training stats like hours spent learning. This would include coworkers attending functions, events, speakers, NCSAM, watching videos, etc. where I could take the number of attendees and multiply it by the length of time  of the event. Showing leadership 500+ hours (for example) being spent learning voluntarily is a really great story.

5. Not separating “training” from “awareness”

This is definitely a classic mistake I see all too often. For a while, I thought because I was doing phishing training (simulations) and assigning annual compliance training, that I had my awareness program in check.

Training (annual, phishing, privacy, etc.) is a very much important and fundamental initiative in a security awareness program. But to make the assumption that these equal a security awareness program would be like putting some noodles and chicken in water and calling it momma’s homemade chicken noodle soup. Sure, those are some key ingredients, but on their own, they don't really do much. 

Awareness initiatives are those absolutely necessary ingredients of a program that brings everything together.   

The initiatives I’ve found to be hands-down must haves are:

  1. Ambassador Programs
  2. NCSAM events
  3. Engaging content (funny videos, etc.)
  4. Culture Assessments
  5. Simple policy one-sheets
  6. Role-based training like high-value targets, developer training, etc.

The really great part about making mistakes is how much you learn and how much stronger your programs grow from learning from them. I’m proud of the mistakes I’ve made because I feel it has given me the chance to connect with my coworkers and have a real dialogue with them.  Hopefully, you can benefit from mine.  

Your coworkers are smart, intelligent people who want to do the right thing. Let’s get out of their way and support them in that and empower them to make the right choices simply and without effort. Let’s tell stories that truly reflect our efforts and showcase the impact we’re having. Let’s be guides.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Fall 2018 issue of Security Smart