It takes an army to build an army
Big kudos to those responsible for designing and implementing cybersecurity awareness campaigns. They are the Cyber Alchemists of the 21st Century. Their job is to deeply understand ways in which to engage their audiences with a topic that, let’s face it, most of us would find quite dull. Not only do they need to encourage their people to read, watch, learn, and absorb the technicalities of cybersecurity, but also to become the cyber ambassadors or, as I call them, the security promoters of tomorrow. They need to be informed, involved, and inspired towards security. Not just security in general, but the security of the organization they work for, even when many employees can’t stand their employers and many want to leave.
Cyber Alchemists transform the complex into bite-sized chunks. They straddle technology and real life and work to prevent counterproductive situations and behavior through engagement and education before being picked up by technological monitoring. The idea is that by the time the security team discovers an issue, it may be too late, and prevention is better than cure. An ounce of prevention is worth a pound of cure, and a stitch in time saves nine. In other words, fix the problem now because it will get worse later. Security teams, by nature, are usually quite technical, and the danger of getting technical people to engage non-technical audiences is that they may not be the best at crafting messages that resonate with hearts and minds. The socio-technical approach to security is quite effective and is the secret sauce of Cyber Alchemists. While security teams are embracing the human aspects of security, they also understand that a little learning is a dangerous thing and hence best left to the experts.
The problem is that we give these Cyber Alchemists very little data (and usually little money) and expect them to create a security-conscious workforce with one full sweep. The reality is, of course, very different. Those who really understand security know that it takes an army to build a wall of defense, and no individual, even Cyber Alchemists, can build it alone. To make matters worse, that army needs to not only be trained in how to build a wall but also how to design it, build it robust enough to defend battles over centuries, and stay committed to their mission, whatever life throws at them. It takes an army to build an army, and a great leader to lead that army to combat and win.
Cyber Alchemists are responsible for engaging audiences, building awareness and confidence, and trying to facilitate a safe place for employees to enjoy and practice secure behavior. In my experience, their intrinsic motivation towards protecting their organization and their workforce is exemplary, and they are the ambassadors that hold the security torch while others bury their heads in data and network behavior. While they understand that data is king, they also understand that humans are complex by nature, and so the data that drives security initiatives need to be holistic and include people, processes, and technology. They also understand that the term “human factors” is counterproductive and can’t be separated from technology solutions. Technology is by humans for humans, and anything that isn’t arguably doesn’t deserve to be invented.
It takes smart and intuitive leaders to quickly identify weaknesses in their army, and it takes strength to pull in all the resources they can to mitigate that risk, even if it means stretching outside of their comfort zones into the murky world of human factors. If you don’t want to get your hands dirty, step out of the kitchen.
One of the issues with the term ‘awareness’ and using campaigns to build that awareness, is that no one really knows what it means. How do you know if you are aware? And even if I am aware, does that mean I will engage in security behaviours? We all know we shouldn’t eat chocolate or consume caffeine, yet we do, some more than others. There is always a trade-off and the key to changing behaviour is to understand what those trade-offs are in your organisation. If security is a barrier to business you need to know about it. If employees have a low opinion of the security provision, their managers, or, worse still, the organisation, you need to know about it. This is missing critical data.
Cyber Alchemists are not mind readers and don’t know if 50% of the workforce are looking for other jobs and are disgruntled with the organisation. They also don’t know if employees are over-worked and simply don’t have the time to think about security and may even be at risk of becoming a security risk due to tiredness. Cyber Alchemists need data on which they can successfully plan and implement their security awareness initiatives, so they hit the spot, so that they inform, involve and inspire the security promoters and detractors of tomorrow.
Where does this data come from you may wonder? Your best asset – your employees. The critical data is right there, you just need to know how to gather insights and transform it into actionable measures. If our goal is to engage employees with security then we need to find out what engages them, who are more susceptible to being engaged or disengaged, and who are the security promoters and detractors of tomorrow.
Unlike phishing simulations and surveillance, psychometrics and obtaining employee feedback is an unobtrusive way of understanding the motivations and barriers within your organisation and provides critical data, and together with technological solutions, are the essential ingredients for true alchemy. There are free resources out there to help design a survey which works for your organisation. However, be sensitive to ‘survey fatigue’ and keep them short and sweet and always give employees a chance to tell a story through open text boxes as well as multiple choice for ease.
Understanding employees through giving them a safe channel to communicate their thoughts and feelings involves them in the discussion and inspires them to be your security torch bearers and provides you with the critical data you need to motivate an army to build a resilient wall of defence. Leave no stone unturned, as they say…
Nadine Michaelides, Founder of Anima People.
Anima People work with you to gather employee insights to mitigate security risks and will soon be launching a new platform that will give you direct access to psychometrics, with integrated AI and automated data analysis through machine learning to provide you with your human security dashboard. Please register interest here if you would like an early demo.