The job of a CISO is never easy or straightforward. Against the backdrop of rapidly evolving cyber threats, you know that the task of keeping your organization secured is, in part, hinged upon using the right tools and technology to meet today’s ever changing attack landscape. But this is only one aspect of the equation; then there are your people.
Trying to Fix the People Problem in Security
Social engineering tactics, and phishing ploys in specific, were the responsible attack vector in almost 75 percent of all of malware attacks on companies in 2017 thus far, proving that fixing human behavior is one problem that tech has yet to solve. One beautiful thing about firewalls, endpoint protection and threat detection platforms is that they can’t talk back; they don’t have pride and they can’t create a positive or negative feeling among their chip and code-based counterparts. And save for the incredibly rare glitch, they perform as expected.
Your employees are an entirely different ballgame; trying to change risky behaviors with today’s common employee-training methods will likely lead to annoyance, disengagement and frustration, the byproduct of which is negative organizational noise.
There are some concrete ways that traditional training is creating this negative noise:
- Training sessions are not scheduled around the employees’ timeline. Rather, they are scheduled around the company-timeline or the security staff’s timeline, which means that employees need to drop everything to attend workshops that stand in their way to accomplishing their own business goal.
- Training modules tend to fit a general audience, pointing out general risks, and as such are not concrete enough (or at all) so employees don’t see how the materials fit into the context of their daily work. For example, most training content following a phishing simulation would discuss the risks of phishing, or some general points about phishing, that are difficult for an employee to use in their daily race to screen out suspicious emails.
- After falling for simulated phishing ploys, employees are forced to engage with training material that is usually boring, drawn-out and harsh. In order to end the simulation, they must read long warning messages and content pages detailing their errors in negative prose.
- The goal of any training program is to drill certain principles into employees’ heads and to accomplish this, many platforms use repetitive quarterly quizzes and emails that are redundant. There is a place for repetition but it has to be done in a in the correct, subtle and sophisticated manner.
- Many phishing simulations create noise simply because of the way they’re sent, their content, their timing, etc. They are poorly designed and therefore disrupt and throw off. Even the most advanced form of training creates noise when done poorly.
The result is cynicism towards security, a perpetual negative noise that pulses throughout your work environment, running counter to your goal of enhancing awareness. In both the long and short run, this negative noise puts your company at greater risk.
Transforming Noise into Buzz
But not all organizational noise is bad noise. There is a carefully crafted kind of noise that we believe can really make a genuine and lasting change in the overall corporate attitude towards security. We tend to call it “THE GOOD BUZZ”. This buzz is what makes the change from building mere “security awareness” to establishing true “security readiness” in organizations. It’s the buzz that occurs with a training program that works in concordance with your employees, their priorities and their tendencies. Research conducted by Brenda Killingsworth at East Carolina University shows that there is a significant link between knowledge-sharing and a positive attitude in the workplace. This positive attitude, or buzz, helps solidify and integrate the habits of continual learning with real behavioral change.
How can you achieve this “good buzz” and avoid negative noise?
Reaching a “good buzz” is all about the details of your employee training program; you already know that common training methods leave your employees feeling annoyed, harassed and drained. The right training methods leave your employees empowered and engaged. A good buzz happens when:
- Employees have the ability to choose the materials they engage with. They can decide to read concise or detailed educational content – or they can elect to not engage at all;
- Training is so subtle that it works in tandem with your employees’ schedules, never diverting them away from their work;
- Simulations resemble the real life scope and context of phishing emails with total accuracy;
- Simulation emails are sent often and are constantly changing.
By working with a program that views end users as individuals, your employees get the most adaptable security learning experiences, ones that take into account your particular company culture, processes and practices. With data-driven learning solutions, based on sound educational and cognitive behavioral principles, your organizational stance towards security will become one that is more than just aware, it’s positive and security-ready.
Getting the Buzz you Want (Need!)
Successful security training is about much more than just going through the motions; in order to emerge victorious in the face of a real phishing threat, a true behavioral change must take root. By working towards a fundamental change using a solution that combines educational principles with security expertise, you can get rid of that frustration-filled negative noise associated with security training; Instead, you’ll get that positive buzz that comes with being ready for whatever comes your employees’ way. Establish that good buzz.