October is behind us, a big month for national security awareness campaigns across several countries. For many, campaigns like this offer the only security training people get during the entire year. But a campaign oriented approach like this has also a few limitations. You simply cannot frame all your company’s security training needs within one month. Campaigns cannot be arranged for each and every other month either. So, what should you do when October ends?
Personally, I’ve been in charge of several campaigns for security awareness, both company-wide and month-long. These have pretty much consumed my entire focus during the campaign period, including a couple of months in advance, and a few weeks after. First you have to ensure you get people’s attention, and then you need to deliver quality learning for them. It can be outright exhausting, because you do everything to create a positive experience for everyone. After all, making people happy is usually not a job description for us security people. You need many good helpers to pull off a successful campaign, but coordinating them also takes a lot of effort. And still, people cannot share your enthusiasm for campaigns more than just so often.
It is easy to understand that security training through e-learning is so commonly used by companies. As a cost-effective way of delivering a set of learning content to all of your employees, you can tick that box for regular training. Measuring how many people have completed the training, and when, is easy. You don’t need a huge campaign to get people in touch with your message either. People with a positive attitude towards security are likely to consciously spend their time consuming whatever training you provide them with.
However, I also suspect that many people (including IT professionals) are not entirely satisfied with the way e-learning is normally done. First of all, we all know how clicking our way through e-learning slides can be done in zero time, without actually learning anything. Some will do this simply to satisfy their manager’s need for a better departmental completion rate, yet not without irritation. There could in fact be quite understandable reasons for not completing the training, such as extraordinary workload in periods, or poor relevance of content. Your campaign wouldn’t make them care an inch more about security in the end. Possibly, they’ll care even less, by having to go through such annoyance. In my opinion, achieving a 100% (or even 75%) completion rate on e-learning is usually a bad thing: You have most certainly made somebody annoyed about security along the way!
The art of listening
This is where we must begin to listen. We commonly use the word “awareness” about something we security professionals would like other people to get. But actually, your own awareness of what your colleagues need, is key to getting security and people aligned.
As I have written previously on this blog, one of my favourite activities is actually talking to people about security. This also helps you with figuring out your next moves. Dialogue with your colleagues is essential to understanding their needs, pretty much in the same way software companies do user-centred software design and development. “You are not the user”, they say, and we have every reason to keep listening to what other people are saying. Empathy and dialogue with users is also at the heart of so-called design thinking, an increasingly popular method for helping innovation solve actual problems.
An opportunity to such dialogue arises through internal audits. Now, these words may not be the most inviting for a positive conversation – an audit means investigating whether people do as they should. In this respect, you can risk people not acting in an open and truthful manner. Nobody wants to be caught red handed, right? But luckily, there are different ways of doing an audit, and you don’t need to be literal about it, granted you have the buy-in you need.
In practice, you should try taking a “random” conversation approach to audits. It works by simply approaching colleagues you don’t really know all that well, at their office. Keep in mind that you’re not looking for glossy numbers, it is time to get down with human insight. Internal audits are just a tool for continual improvement, and topics for conversation can easily be chosen based on risk. But the main point is to get people talking to you.
Curiosity never killed my cat
Say you are interested in learning more about how security matters to them, and ask respectfully for a few minutes to sit down. Focus on how your all interactions are appropriate to building personal trust. Never hold up accusations of failure, and avoid leading questions which will make feel forced to admit some mistake. Instead, ask open questions such as if they have seen anything suspicious lately, maybe an email or a post on social media, or if they’ve seen anything about hacking or scams in the news lately. Did they change any of their passwords recently, or have they taken steps to secure their wireless network at home?
As your conversation develops, opportunities to inform your audit will appear. You may find ways to ask, for instance:
- How does your colleague deal with a particular scenario, such as sharing files with others?
- If relevant, how is knowledge about dealing with personal data exhibited?
- Where does your colleague mainly learn about security?
- Has anything useful been learnt recently?
- Are people especially aware of any policy rules, are they applied in practice?
- Have any policies been read lately, or are they possible to find at all?
- What are people’s password habits like?
- Do they feel responsible for security in any ways particular?
- Are they aware of how their colleagues relate to security?
- Do they wish to learn more about security?
What is really important, is paying attention to emotional cues given about their relationship with security. Does it appear like burden to them, or is it perceived as a natural part of their work? Are they giving you a high-five for that last campaign you did, or are they affected by fear, uncertainty and doubt? Maybe they share some fresh perspectives on some security policy rule, and perhaps they have questions about that last training session. Perhaps they were in the annoyed category, but now they trust you enough to confide having clicked through the e-learning in 13 seconds.
The great thing about conversations is that you can always dig deeper whenever something interesting is encountered.
Don’t be intimidated if they don’t share a lot immediately. Not all will understand what you mean by “security” at first (as if that wouldn’t surprise you). But once you start making things more concrete, you will soon realise that all people have a certain level of consciousness about the topic. They will reveal a level of risk understanding, and whether or not they are open to learning more. The time it takes to earn their trust depends on several factors. In any case, the conversation itself is time well spent building trust regardless of how well your audit is informed. Both your colleagues and yourself will learn new things during the conversation, even when it’s not supposed to be an educational session.
But how does it scale?
Conversations will provide you with realistic insight into other people’s interests and challenges. Building mutual empathy with people this way is in fact a self-reinforcing effort, resulting in new conversations about security. People will talk to others after talking to you, and you will have other people’s views and opinions to talk about except from just your own. Do not underestimate the multiplying potential of one-to-one interactions.
I believe that the number of security related conversations in your organisation is a good measure for security culture. You may also apply the same principles in group workshops, where you go deeper into auditing particular policy areas. If you have already done this talk in a safe setting before, a better understanding of other’s perspectives will follow. Instead of holding back, people will try to help you in moving forward. Most people appreciate getting involved in making their workplace better.
You will soon identify needs for next steps. When audits reveal incompliance, you want to fix the real problems – not just the symptoms. Maybe your conversation created awareness which already helped resolving the matter. If more competence is needed, you begin developing targeted training. Could it also be possible that the policy itself has room for improvement? Or perhaps you need some products to support people better in getting their job done securely? All three possibilities are relevant to building a culture for secure practice in your organisation.
Either way, this is how you’ll have awareness work to do for the rest of the year. As if you didn’t have enough to do already! But maybe this is the year where people should get that extra attention? I can safely assure you, exploring these waters makes an interesting journey.