If you want coworkers to support security, the first thing Nick Hilderman suggests is a positive attitude. \u201cSecurity is often focusing on the negative aspects of things \u2014 on what could happen, the fear, uncertainty and doubt,\u201d he says. Hilderman is senior security analyst at Finning International, a Canada-based distributor of Caterpillar equipment that is two years into an infosec advertising campaign. This campaign doesn\u2019t market to customers. It\u2019s an internal push to help Finning\u2019s non-tech employees understand how important cybersecurity is.Finning has long educated employees in security best practices. Before 2016, that education focused heavily on phishing \u2014 and was ineffective: Employees clicked through at above-average rates.The emails also built resentment against security. \u201cPeople often do not like [phishing campaigns],\u201d Hilderman explains, \u201cThey feel tricked; they feel manipulated; they feel like you're trying to attack them.\u201d People who are already doing their best \u201cfall for it,\u201d he continues, just to learn they were tricked by their own employer. The larger goal is good, but the approach is not. \u201cWe're just trying to educate you and people hate it,\u201d he says.So, Finning\u2019s CISO Suzie Smibert took a hard look at security education and, according to Hilderman, \u201csaid \u2018Let's build upon what's good and let's make it amazing.\u2019\u201d Then the two went to work: brightly colored posters in the halls, a video series on the company intranet, regularly delivered e-newsletters.\u201cWe said, \u2018We need to come up with this marketing gimmick where people will see our content,\u2019\u201d he continues, and see it they did. Two years later, phishing clicks are below industry average and 75 to 100 employees serve as volunteer security ambassadors \u2014 employees from other departments \u201cdelivering out content to different groups in the different regions,\u201d he explains.Hilderman says those who hated security now advocate for it: \u201cThese individuals are actually going around putting up the posters for us. They're standing in front of their team meetings.\u201d Ambassadors, he continues, are actually so enthusiastic about infosec that this year, Finning will award one lucky worker the title \u201csecurity awareness ambassador champion.\u201dReward good security behaviorRaising this level of support at your workplace all goes back to being positive. \u201cWhen we first started our click rates were quite high,\u201d he reiterates. \u201cThat's a negative metric, but at the same time we could roll it into a positive one.\u201d Say your company\u2019s phishing emails get a 25 percent click-through rate. Instead of focusing on the colleagues who failed, consistently congratulate the 75 percent who didn\u2019t. Hilderman says this technique has pushed Finning\u2019s phishing stat \u201cwell under the average failure rates for campaigns, and it didn't take us that long to get there, so again it was that message of not highlighting the negative results but then showing the positive of it.\u201dWhen employees catch real phishing scams, congratulate them. Finning\u2019s corporate controller recently received a scam email, but let security know immediately. Then, Hilderman says, security told everyone else: \u201c[We] said, \u2018Look at this. Our user, our corporate controller received this posing to be our CFO and CEO and he recognized it, and had he not recognized this, this could have cost us upwards of $300,000 to $400,000.\u2019" The controller was lauded as a company hero, he continues, credited with having \u201cstopped the attack before it even happened.\u201dWe want to show that our people are doing the right thing...Through that, people will start showing up, right? People will start doing the right thing. \u2014\u00a0Nick\u00a0HildermanFinning then took the congrats one step further and celebrated the controller\u2019s success in a video, which serves as content for the company\u2019s larger security marketing campaign. \u201cWe had our CISO on the same video just to talk about the importance of why this [video] exists, and then we got it out to the masses and it was just an incredible thing,\u201d Hilderman explains. \u201cWe want to show that our people are doing the right thing...Through that, people will start showing up, right? People will start doing the right thing.\u201dA consistent, adaptable approach to security educationOf course, it\u2019s easier to do the right thing when you know what that is. Phishing employees to see what they\u2019ll fall for is unfair if staff aren\u2019t already aware of best practices. Infosec has a lot to cover, so Finning\u2019s posters and employee newsletters choose a new topic to focus on each month, like online shopping safety or tax scam awareness.Just like a magazine, security drafts an editorial calendar where issues are planned. Hilderman stresses that topics stay \u201cadaptable\u201d in case a major breach or vulnerability makes the news. Facebook\/Cambridge Analytica, for example, is a hot topic he\u2019s looking to address \u2014 specifically \u201ctips on how to remove disclosure of your personal information online or secure it.\u201dTo ensure information gets to all employees, Finning translates the newsletters into Spanish for the company\u2019s South American locations. Translation isn\u2019t easy, Hilderman admits, but the effort\u2019s worth it: The controller who alerted security to the $300,000-plus scam speaks Spanish.Working for a distributor of manufactured goods, Hilderman says, \u201cOnline security and online safety are often very much the same thing.\u201d Advanced manufacturing is very different from traditional manufacturing where machines had to be replaced every time a new part was needed.We want to teach people to secure their information, their accounts, build strong passwords, watch what's happening, because something as simple as a weak password could all of a sudden unlock the brakes of a machine. \u2014 Nick\u00a0HildermanToday workers simply reconfigure a machine\u2019s software so it can make something else. \u201cWe're connecting machinery online,\u201d Hilderman says, so Finning doesn\u2019t just have to prevent data breaches, but also \u201cphysical safety risks\u201d that could come from someone hacking company equipment: \u201cWe want to teach people to secure their information, their accounts, build strong passwords, watch what's happening, because something as simple as a weak password could all of a sudden unlock the brakes of a machine.\u201d\u00a0\u201cOne of the first things I do when I come into a company is find their key values,\u201d Hilderman advises, \u201cWhat's important to the company?\u201d For manufacturers, that\u2019s usually safety, so at Finning, that\u2019s where security found a niche to prove value to corporate operations as a whole. When cybersecurity is intrinsic to core business functions, employees can better understand its importance. \u201c[Security\u2019s] message is easy to get. It's the delivery and how to present it is what the challenge is,\u201d Hilderman says.