Hacking security awareness: the program-changing magic of the advisory board

Most successful company programs have a few common traits, one of them being an advisory board. Advisory boards can propel security awareness programs into uncharted levels of success, yet most programs today don't utilize this simple hack for success. Learn Jason’s success implementing an advisory board and how you can see similar success with your own.

cybersecurity boards

You know what moments I love? Those a-ha! moments. Security awareness is really hard. There’s very little guidance based on experience and it’s easy to feel like you're spinning your wheels. I’m going to share with you one of my own a-ha moments. The Advisory Board.

I wanted my security awareness program to be unique, authentic, impactful, and just as successful as some of the other internal programs I admired. But I wasn’t getting anywhere. So, I asked for help. I sought out the teams I admired and asked how they were being successful. The project managers feedback all varied for the most part, aside from they all relied heavily upon an advisory board.

Being hesitant to request feedback and input on my program, I would question them to see if they had any fear about losing control. Oh, Jason. Young, naïve Jason. They would all kind of chuckle, acknowledging my concern.

"Sure, but then you see how damn effective you are and you kind of forget about it”

The idea of an advisory board felt very complicated and required a lot of extra work that I didn't feel was necessary. I was in charge of this program, and I didn't need anyone else meddling in it!

Then early into a new fiscal year and full of cynicism, I decided I would try creating a security awareness advisory board. My results were near instantaneous.

Following a combination of their guidance along with the external research I had done ("Hey Google, how do I create an advisory board?"), I had landed upon an approach I felt really confident about. My focus would be to:

1. Identify key stakeholders

Ideally, this was any department I would need to beg favors from in order to complete any of my security awareness goals. I wanted to include decision makers and team leads initially. The shortlist for me was:

  • Infosec (IR, GRC)
  • IT (Email, Helpdesk)
  • Corporate Communications
  • HR
  • Legal
  • Marketing

2. Have a program plan and pitch deck

If I was going to summon these teams, I needed to have a great story and motivation for them to participate. Usually, my winning justification was "I'm going to be implementing some things that will potentially cause you additional work at some point, this is your chance to help reduce those moments." Motivational, right?

3. Know what information I needed from each member

For example, including Legal would give me a resource for understanding our company's contractual limitations for training contractors and consultants.

HR would provide insight into existing compliance training resources. Corporate Communications would explain their processes and how I could embed my efforts with them rather than be bottlenecked by them.

IT would allow me to know how the Helpdesk communicates with employees directly, what kind of language they use, and what knowledge material I could update. They would also explain all potential filters and applications involved in email delivery.

Marketing, well – they bring the creative side – with insight into upcoming campaigns and internal effort I could attach my program too. And ideas. This is all about relationship building and establishing trust. The members of your Advisory boards will become extensions of your programs, acting as liaisons or ambassadors.

Imagine the potential of having your program goals discussed in meetings you typically aren't invited too. That kind of word of mouth is crucial to young programs, it creates a social proof that will pay dividends for a long time.

Be sure that you know what your program goals are before you call the meeting though, you'll need to exude competence and direction.

I have a great program plan template that will help build this for you. Hit me up, I’m happy to share it as a free resource.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline