At the (ISC)2 Secure London Event today, Laurie-Anne Bourdain, data protection officer at Belgium fintech company Isabel Group, delivered a session on planning and delivering a successful cybersecurity awareness program.
Bourdain advised that creating a roadmap is an essential first step in developing a good awareness program. The roadmap requires an understanding of your organization’s threat landscape, which includes knowledge of your vulnerabilities, who your threat actors are and what threat vectors you’re up against. “This knowledge will help you consider your priorities based on your risks. Due to budget and time constraints, you need to evaluate and prioritize your risks, but you also need to align that with your own risk appetite – consider how much risk you can afford to take,” she advised.
The next step in the roadmap, Bourdain continued, “is to identify what you want your targets to learn. Then, you need to address what resources you have. Think about your channels of communication.” As an example, printed posters are still an effective method of communication, she said.
“The scary part of your roadmap is delivering it,” said Bourdain, “because you might fail.” She considers herself lucky to be given the luxury of spending a fifth of her time on awareness and training, “but I’d still like it to be more,” she contended.
Developing awareness programs is all about filling gaps, she argued. “This includes the knowledge gap, skills gap, and the motivation gap.” She argues that the latter is the biggest challenge. “It’s difficult when people know how to do something but don’t want to and they don’t care. You need to explain why it’s important to them personally and support motivation with incentives or rewards – this will help them continue their behaviors.”
The final gap that Bourdain called out is the undeniable communications gap. “IT is not the primary language of most people in an organization, so be careful not to use technical or legal language,” she advised. “Use a language that is easily understood by every single member of your organization and adapt to your different learners.” Putting yourself in the shoes of the novices in your organization will enable you to pitch your language and communication correctly, she said. “Try to remember what it was like to know nothing. Don’t assume knowledge.”
She emphasized the importance of positive reinforcement, noting it can take the form of recognition and awards and does not necessarily need to be financial. “Other tips include gamification, playing on people’s emotions and using the power of moments,” she said, giving the example of raising awareness during the Log4j crisis. “Use social engagement. The more people that are visibly doing something, the more others will feel encouraged to do the same,” she added.
Her strongest piece of advice, however, is repetition. “Awareness needs repetition, even when it feels counter-productive. Yes, you already told them that last year, but it will have been forgotten, so tell them again.”
In conclusion, Bourdain stated the importance of three ingredients for a successful cybersecurity awareness program: Management support: “To create visibility, you need management support. Make them understand what’s in it for them and gain their support.” Provide metrics: “Provide good metrics. Data on how many people completed the training on time is a bad metric. The number of people reporting phishing compared to last year, however, is a good metric.” Report back: “Tell management why your awareness program is working, and tell them why you need more budget – and more time – for next year.”