Intelligent CISO Issue 52 | Page 34

Security leaders need to understand how awareness , education and behaviour change work .

� with technology , firewalls and intrusion detection systems , and getting dragged in front of the board or trying to educate people is a bit alien to them . However , it ’ s something they ’ re embracing more and more . The first challenge is their perception of security awareness as a topic , and how it works . Many think ‘ it ’ s called security awareness ; I ’ ll make people aware of security and then they ’ ll do things differently ’ but that ’ s not how it works . You can ’ t simply stack awareness higher and higher , expecting a sudden behavioural change as that ’ s relying on a connection between education and behaviour that honestly doesn ’ t exist . Security leaders need to understand how awareness , education and behaviour change work .

I think a second challenge is getting the airtime . Many departments in large enterprises are trying to push their messages , whether it ’ s about compliance , money laundering , new processes and systems being rolled out , or even this week ’ s canteen special . Numerous messages are being pushed forward and security can struggle for airtime and get lost in the noise .
The third challenge , referred to already , is the lack of time and resources put into awareness . If an organisation can balance the time and resources spent and are willing to invest in creating compelling content that people love to consume , such as gamification , the results can be effective .
Why is a borderless training platform so crucial given today ’ s distributed – and often hybrid – workforce ?
You can ’ t keep training bound to the office environment anymore as many training techniques we ’ ve used in the past , such as posters and digital signage in the office , become almost irrelevant to the new working model .
You need to think about more contextually appropriate content that will work in different environments . For example , what would work in a home environment ? What would people have on their desks ? What could act as a

Security leaders need to understand how awareness , education and behaviour change work .

prompt in their home environments or working on the road ? You need to remember that just a single-point deliverable doesn ’ t work . People forget to take steps by prioritising efficiency over security . The border of just having one message pushed across the company is irrelevant without long-term reminders and impact . You need to push different messages , at different times , through different channels so that people absorb the messages . Simply create an environment where the user is continually reminded of the right actions .
How important is it that the training approach is specifically tailored to individuals based on their geography , job role , or even specific users and user profiles ?
It must be relevant to you in your role . If you can teach with a specific perspective in mind so that it relates to a role or location , then the individual will have a framework or context with which to associate the message and they ’ ll retain it better . You must try and figure out how you can tune the message to the person you ’ re speaking to , to make it relevant to them for an effective result .
How important is a customised , tailored approach to awareness training to enable real behavioural change ?
Lots of organisations will start out doing some phishing testing , receiving results of a 30 % click rate – so one in three people will click on a phish and it is possible to get that down to 1 or 2 %, but to achieve this you need to focus on approaches
beyond awareness . Smoking is a great example , there is 100 % awareness that it ’ s dangerous and yet still people smoke . So , awareness does not equal behaviour ; they are not the same thing .
You need to consider other elements influencing behaviour such as motivation . I commonly tell people to stop calling it a security awareness programme , even if you just do that internally within your team . Calling it ‘ security awareness ’ leads you to make the wrong conclusions about what you
34 www . intelligentciso . com