If you’re not rolling your eyes at that title, you should be. Change is not easy. Influencing people’s behavior is hard work and often an elusive goal. The old model – putting up security awareness posters in break rooms or making people read policies every year and assuming knowledge will translate to behavior – is broken.
Not only is the model broken, but we also often have the wrong people in certain roles within the organization. You wouldn’t want a marketing person to install and configure your firewall any more than you should have a technology person communicate and influence your employees to change their security behavior.
Influence = Creativity + Insight (Data)
People are irrational in their decision making, including the split-second choices they make that open your company up to security risks. Criminal social engineers know this. If people acted rationally, would they have believed the “Nigerian prince” email scams? People want to connect and believe in others. So how do you leverage that for good instead of allowing the hackers to leverage it for bad? Start by telling a story that people can believe in. Be an inspiration in an irrational world. Be creative, with data as your tool, to gain influence.
Don’t know where to start? Follow these four steps to transform a dry security-based message into an engaging story that leads to changed behavior.
Step One: Attention!
If you don’t get people’s attention, you have no chance to influence behavior. I’ve found a lot of people working in security awareness suffer from “security narcissism.” We’re all fascinated by security; we find it innately interesting. But not everyone is fascinated by security. Think about your audience and their goals, needs and priorities, and align with them.
Getting people’s attention is more effective if you have engaging creative materials – think about the words and imagery that make up your posters, blogs, videos and events. Most likely you’ll need to hire a creative professional or a creative agency or find internal resources outside of your IT organization whose work you find engaging. You can teach a creative person enough about security to do messaging and awareness, but unfortunately, you can’t teach creativity. Start with the right team to ensure that your messages stand out when you need them to.
Step Two: Be Interesting – Everywhere and All the Time
To create security content that’s interesting, you have to understand your audience. Marketing personas can be a big help here. Get inside the heads of your employees. Understand what makes them tick. Know their current perceptions, needs and emotions. Try to remember what life was like before you got into security. Don’t look at your employees’ security training performance as a rating of them. Look at it as a way to help you understand more about them.
We’re not selling a message that solves people’s current pains. Instead, we’re selling the prevention of potential pain of an intangible thing – being hacked or breached. In the world of marketing and advertising, that’s a tall order. You’re not going to fix that with a break room poster. Bring out the marketing big guns.
Step Three: Don’t be Dense (Information Dense)
Less is more, but more is better. Confused? Keep your messaging short and concise and your copy targeted and clear – but use every channel available to you. Think email, text messages, company newsletters, portals, etc. Look for unexpected ways to get your message across – such as tent cards on conference room tables, decals on bathroom mirrors and cardboard cutouts in a parking garage. If you sent an email with a training assignment but you’re frustrated that people didn’t take the training, don’t blame your users – look in the mirror. What other channels and tactics could you use to communicate? How did you make people want to take the training?
Step Four: Lose Control of Your Message
Content going viral means you’ve lost control of it – in a good way. You want employees – not just the “security people” – to spread security. What makes stuff go viral? People want to look smart by sharing something interesting. People want to make others laugh by sharing something funny. Create content that drives sharing and you can spend your time creating the next great security campaign.
Security training and messaging is a challenge. But the best security communications don’t just communicate; they create change. In order to do that you need to start by standing out.
As Seth Godin says, “In a busy marketplace, not standing out is the same as being invisible.” Start thinking about your security communications as a marketing campaign, and you’re on the way to true success.
About the Author
Lisa Plaggemier has spent her career branding and marketing cars and trucks, software and data and now security. She’s combined her passion for the automotive industry with a fervor for security awareness to help CDK Global, OEMs and dealers manage their risk and grow their businesses securely. Lisa worked for marketing for Ford Motor Company in the U.S., Europe, Africa and the Middle East. She is currently the director of culture of security, risk and client advocacy for CDK’s global security organization. Lisa graduated from the University of Michigan and currently lives in Austin, TX.