\u201cIt began as a mistake.\u201d \u2013Charles Bukowski, Post Office.This is probably one of my favorite opening sentences of all time, and perfectly details my affair with security awareness (and I\u2019d guess a lot of my peers as well\u2026).I\u2019ve built some really fun, really impactful awareness programs for companies like Disney, Sony Pictures, and Activision Blizzard. And you know what? I\u2019ve made a lot of mistakes.Here are some of them, and what I learned\u20261. Trying to turn my employees into \u201chuman sensors"I fell into the industry buzzword trap and started believing that I could program my coworkers like they were an application or SIEM device. I started explaining to them that in addition to their already busy roles and responsibilities (be that finance, HR, IT, marketing, production, whatever), they were also "sensors" for cybersecurity protection.I had bought into the negative image that users were stupid common in the InfoSec & IT space. \u201cYou can\u2019t fix stupid\u201d being one of my all-time favorite statements to despise.You can\u2019t fix stupid, perhaps, but you can better architect your networks and write better policies that align with how your coworkers actually do their work.I started pushing back on leadership and IT teams, suggesting that if we didn\u2019t want users to re-use passwords or use easy-to-guess ones, then why do we make it an option?2. Pushing the company agendaWhen I first got into security awareness, I was rather submissive with my approach. I allowed leadership to define what security awareness was, instead of educating them about the potential power of it and how to harness it.What I should have been doing was pushing the security awareness agenda to my leadership. Getting them excited about the multi-layered approach that would affect behavior change.3. Not building a community and using guidesA community is so obvious, I\u2019m embarrassed it took me as long as it did to realize this. Had I paid attention to what was going on within my company culture, I would have seen all the sub-communities existing, thriving, and driving the success of the company. \u00a0How quick are we to filter unknown senders and delete emails from people we don\u2019t know? Yet so many times we insist on sending mass emails to our users from accounts they\u2019ve never heard of.The concept of ambassador programs has been around for a long time, the most successful example would be floor wardens for fire escape & safety programs.\u00a0 A few key volunteers guide their coworkers during an emergency evacuation (and fire drills) to safety.For me, the most obvious \u00a0\u201cguide\u201d was the executive administrative support for each department. So, I started talking with them. I listened and pitched my idea of wanting to provide simple, usable cyber tips with users and they loved it. They wanted to help. Whatever I needed all I had to do was ask.Every time I had a request to send a mass email to the entire company, I activated my network. My readership went sky high. My community grew. My culture changed.4. Focusing on the wrong metricsMan, I was the king of this for a long time. I was constantly searching for that magic dashboard metric that would make my CISO sing my name to the masses.My top three metric missteps?Phishing training click rate. The problem with focusing on the click rate is that it does not tell the whole story accurately. For instance, was there external news influencing response, heavy vacation\/holiday time, etc. Instead, focus on the report rate, which reflects real behavior change.Newsletter\/email read rate. This was the saddest metric in my arsenal. Everyone felt awkward when I talked about it. This was only highlighting my lack of ability to create engaging content and tell stories. Instead, we focused on intranet site traffic to sp\u00a0ecific pages\/resources after a campaign was launched (perhaps for a video of the month, or security awareness event like a speaker).Annual training completion rate. While this is mandatory for most compliance reasons, it doesn\u2019t really mean anything other than how effectively you could annoy and follow up with users who didn\u2019t complete it. I opted to start tracking secondary training stats like hours spent learning. This would include coworkers attending functions, events, speakers, NCSAM, watching videos, etc. where I could take the number of attendees and multiply it by the length of time\u00a0 of the event. Showing leadership 500+ hours (for example) being spent learning voluntarily is a really great story.5. Not separating \u201ctraining\u201d from \u201cawareness\u201dThis is definitely a classic mistake I see all too often. For a while, I thought because I was doing phishing training (simulations) and assigning annual compliance training, that I had my awareness program in check.Training (annual, phishing, privacy, etc.) is a very much important and fundamental initiative in a security awareness program. But to make the assumption that these equal a security awareness program would be like putting some noodles and chicken in water and calling it momma\u2019s homemade chicken noodle soup. Sure, those are some key ingredients, but on their own, they don't really do much.\u00a0Awareness initiatives are those absolutely necessary ingredients of a program that brings everything together.\u00a0 \u00a0The initiatives I\u2019ve found to be hands-down must haves are:Ambassador ProgramsNCSAM eventsEngaging content (funny videos, etc.)Culture AssessmentsSimple policy one-sheetsRole-based training like high-value targets, developer training, etc.The really great part about making mistakes is how much you learn and how much stronger your programs grow from learning from them. I\u2019m proud of the mistakes I\u2019ve made because I feel it has given me the chance to connect with my coworkers and have a real dialogue with them.\u00a0 Hopefully, you can benefit from mine. \u00a0Your coworkers are smart, intelligent people who want to do the right thing. Let\u2019s get out of their way and support them in that and empower them to make the right choices simply and without effort. Let\u2019s tell stories that truly reflect our efforts and showcase the impact we\u2019re having. Let\u2019s be guides.