A recent Kaspersky Lab survey of nearly 8,000 full-time employees found that 12% claim to be fully aware of their organization's IT security policies and rules.Based on this finding, it sounds like current communication tactics aren\u2019t making much of an impact today. More communication is part of the answer. But, as the old saying goes, repeatedly doing the same thing and expecting different outcomes\u2026well, it isn\u2019t a rational approach. A combination of more \u2013 and different \u2013 communication is the answer.When it comes to communications in general, I\u2019m a member of the \u2018repetition-is-effective-communication\u2019 camp. People need to hear a message multiple times to make it stick.\u00a0 However, I think we must challenge ourselves to think differently about how and what we\u2019re communicating if we want to be successful in making security a priority for our employees.Start communicating on Day 1Employees are keen to start on the right foot and onboarding is a time when they\u2019re uniquely receptive and eager to do the right thing. Make security a key element of onboarding tasks with a three-part approach:A basic introduction from your IT\/security team about corporate security policies that covers on-premise and remote access to resources, BYOD and bring your own software (BYOS) use, use of cloud applications and storage, and similar topics.An interactive elearning course on security awareness that addresses password hygiene, phishing and spear phishing scams, and physical office security. The course should incorporate knowledge checks to confirm comprehension.A discussion between the manager and new employee that covers sensitive data (like customer information and intellectual property) and non-disclosure agreements. Most importantly, this discussion should clearly identify the types of sensitive data the new employee will have access to and the ramifications if this data is lost.Use powerful analogies"Analogies matter," John Pollock, author of Shortcut: How Analogies Reveal Connections, Spark Innovation, and Sell our Greatest Ideas, says. "The analogies we use have a big impact on outcomes, both positive and negative."Bruce Hallas, who founded The Analogies Project, is a believer in the power of useful security analogies. He describes trying to relay the importance of backups to librarians and how an analogy came to the rescue by grabbing attention and motivating the librarians to care:\u00a0\u201cThe Library of Alexandria ...was one of the great wonders of the ancient world, and all was lost because the library didn't have backups. Jaws dropped open. The librarians got it. That's the power of analogy.\u201dShow, don\u2019t tellWhenever you have the opportunity to demonstrate instead of talking, take it. Trying to impress upon your software developers the importance of secure AWS buckets? Demonstrate how you could create an insecure bucket, and then show how easy it is for anyone to gain access. Looking to describe spear phishing? Show an example or, better yet, have a team member share how they were targeted.Use multiple communication methodsCombine repeated messages with unique delivery methods. Your communication portfolio should include elearning courses, simulated phishing scams, simulated physical social engineering drills to test in-office security, email updates, and lunch-and-learn sessions.Tailor information to the roleOne of the golden rules for communicators is \u2018know your audience\u2019. An email phishing scam targeted at an accounts receivable clerk might look quite different than one aimed at your CTO\u2019s assistant. Similarly, your software developers are more likely than your AR clerk to need reminders regarding cloud storage security. Take time to assess the unique job requirements and associated risk, and then deliver corresponding communications.Connect security at work to security at homeIf you have the opportunity to provide resources or tools that will help an employee\u2019s security at home, this is a great way to reinforce the message and increase message relevance.Highlight the behaviors of role modelsEmployees will model the behavior of respected coworkers. Tap into role models in your organization and have them share what they do to maintain a security-first mindset.Take advantage of the expertsAcknowledge that the top communicators in your organization may reside outside of the IT team. Who are the recognized \u2018great communicators\u2019 in your organization, and how might you enlist these individuals to relay security messages? Partnering with other departments like HR and marketing is a good way to gain insight into the employee base and bring creativity to your messaging.Celebrate the successesFinally, I think it\u2019s necessary to acknowledge the bad-news fatigue that has set in because of the many recent security incidents. Today, it\u2019s easy to become fatalistic and believe that an attack or data breach is inevitable and attempts at prevention are futile. Your IT team knows this is not the case, and they have the data to prove attacks are regularly thwarted. When an employee skips the bait in a phishing email and reports the attempted attack, share the success. When your team is able to overcome a ransomware attempt with a segregated backup copy, share the success. Good-news messaging should be in your communications portfolio as well.