• United States




Awareness revisited – overcoming those hurdles

Nov 17, 20175 mins
Data and Information SecurityIT SkillsPhishing

Taking into account the traditional critical success factors of security awareness may not be enough to create a security aware environment. There are a number of hurdles that still make you fail. So how can we overcome those?

danger unaware ts
Credit: Thinkstock

Though we spend more and more effort on security awareness, people still remain a key vulnerability and we can often only conclude that security awareness programs are not always as effective as we would hope for.

As indicated in my previous post, it is quite troublesome that even ‘best practice’ awareness programs are not always that successful. I.e. programs that took all the traditional security awareness critical success factors into account, such as: obtaining executive management support, inclusion of internal communication team, making it ‘interesting’, using leading marketing and learning techniques, branding through a clear and distinct identity, implementing behavioral accountability, etc.

Clearly if awareness programs are failing, there is a need to investigate why that is and, where needed, amend the list of critical success factors or add some more nuance. In my previous post, I explored some of the root causes of why awareness programs are failing or less successful, even when executing them by the book. The six main ones I identified were:

  1. Massive competition from other communication campaigns
  2. Learning fatigue
  3. General disinterest of the target audience in the topic
  4. Digital learning platforms are only partially effective
  5. Security resources are not necessarily good communicators
  6. We rely too much on people being able to do the right thing

There are probably no perfect or one-size-fits-all solutions to overcome these hurdles. However, I do want to share some ideas that may help you come to a more effective (as well as more efficient) approach towards security awareness. 

Bringing awareness more effectively

  • Focus less on the roll out of broad communication campaigns. These broad communications can be good to establish the recognition and brand, but their effect soon wares off. Additionally, you are constantly in competition with other campaigns. Instead put your effort in a diverse array of communication opportunities that can play into the topics of the moment via different means of learning and communication.
  • Recognize the limitations of digital web learning, and use them only for the basic, bulk learning initiatives.
  • Embrace the power of good live presentations. They allow for interaction and people pay much more attention to what you say. Look for your best presenters, i.e. those that can bring the message in a compelling manner. Make the presentations pull not push – e.g. lunch and learn, hooking into existing team meetings, etc. Allow for enough time to interact with your audience.
  • Segment your audience. This will not only allow you to bring content that is more relevant to them, it will also allow you to target specific audiences that pose a larger risk. E.g. Who is handling the most critical information? Where do you see most incidents, mistakes, missed opportunities?

Bringing enticing content

  • Make it more personal. Relate it back to what people also encounter in the protection of their personal data and computers. E.g. their online banking, their social media profile.
  • Make the content specific to the organization and environment. Not some generic list of do’s and don’ts bought from a vendor. The latter can be good as a starting point, but you have to integrate the context of your organization. E.g. if people are not allowed to use Dropbox, then tell them what the approved alternative is.
  • Play into cyber security news events and send out internal messages to showcase the ‘reality’ of the risks and then repeat the key messages. Similarly, ensure internal warning messages about new threats or updates on security incidents sent out to the end-users are either awareness branded or clearly refer to the awareness messages.
  • Team up a security technical writer and a person of internal communications with a keen interest in security. Technical writer is maybe the wrong term, because you need someone that is able to translate the security requirements and other content in to layman’s terms. The person also needs to be able to create as much of that content him/herself and not rely too much on SMEs to provide it for him / her. The latter should review and comment though. The communications person will bring the marketing and communication flavor to the content, and be able to package the content in a format that maximizes the impact of the messages.

Enabling secure behavior

  • Interact and listen to your target audiences, and feed that back into security enablement. They will tell you when and why they cannot (always) comply with certain requirements. E.g. people may tell you that they have to share passwords at times even if this is against policy. Take these scenarios with you to the rest of the security team and find solutions that will avoid them.
  • Recognize that awareness activities will never fully mitigate the people vulnerability. Do not count on people to become experts in security. Instead, make sure that you rely less and less on their good judgement. Enable security by default, or make it otherwise very easy for people to demonstrate the ‘right’ secure behavior. E.g. people continue to choose weak passwords, so go for single-sign-on alike solutions and two-factor authentication. E.g. people don’t encrypt mails when they have to, so go for intelligent and automated encryption solutions, that automatically encrypt mails that contain particular content. In other words, focus on designing systems and processes that make it easy to act securely and don’t give users the option to behave otherwise.
  • Shift some of that end-user awareness effort towards systematic and comprehensive security training for developers. This will ensure that your systems (over time) have the necessary security built in by design, relying less and less on the correct secure behavior of end-users to protect the data.

Tim Wulgaert is a consultant, advisor, presenter and author in the field of information security and privacy. He has over 15 years of experience in developing, reviewing and improving information security strategies, policies, awareness campaigns, organizational design and other related security management topics. He has helped companies from 15 to +150.000 employees across the globe and in many different industries, including heavy regulated ones such as banking, telecommunications, healthcare and pharmaceuticals.

Currently, Tim is working on is an initiative to build a security management content platform that aims to provide security and privacy professionals with hands on security policy, process, awareness and other related security management content. In addition, Tim is supporting and advising CIOs, Chief Security Officers and Data Privacy Officers on selective projects and initiatives (via FJAM consulting).

Tim has worked for and with different big 4 audit firms, strategic management consultants as well as niche security consultants and integrators. Between 2012 and 2017 he also was the Operations Manager, Transition Lead and overall “right-hand” of the CISO of one of the largest pharmaceutical companies, managing a team of +300 security and risk people across the globe.

He can rely on extensive experience in discussing and presenting strategic IT and Information Security topics with / to C-level management of both SMEs and multinationals.

Tim is the author of “Security Awareness: Best Practices to Secure Your Enterprise”, ISACA, 2005 and co-author of the Belgian Cyber Security Guide (Dec 2013, ICC Belgium and FEB/VBO). He also co-authored EY Mobile Money 2011 and helped developing and writing EY’s 2008 Revenue Assurance Survey.

Tim is a regular guest speaker on topics such as security, privacy and social media. In the past, he also held presentations and wrote articles on mobile money, revenue assurance and fraud management, as well as on IT audit and business process modelling. Between 2006 and 2013, he was a guest professor at the Master in Computer Audit of the University of Antwerp Management School and the Executive Master in ICT audit & Security of the Solvay Business School.

The opinions expressed in this blog are those of Tim Wulgaert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.