After working with hundreds of organizations around the world, one of the most common reasons I see awareness programs fail is due to a lack of planning. Quite often these awareness programs are compliance-driven efforts developed by auditors to check the box. This is where you have death by PowerPoint or topics picked haphazardly throughout the year. To build a long-term awareness program that effectively manages human risk, you need a plan. However, many organizations are not sure where to start. Fortunately, it’s a lot easier than you think – all you need to do is answer three deceptively simple questions: Who, What and How.
- WHO?: “Who” asks whom you are targeting in your training and whose behaviors are you attempting to change. Just like you would in a marketing campaign, you need to understand your target audience. Often for immature or new awareness programs, the target audience is simple – everyone. The goal is to teach or communicate a common foundation of core security behaviors across the organization. But as your program matures, you will find different target audiences that require additional or specialized training, most often those in specific roles. Examples include executives, IT admins, developers and perhaps accounts payable. Once you understand your different target groups, you can then answer the questions What and How.
- WHAT?: Now, determine what you need to teach people – this is ultimately driven by what behaviors you need to change. “What” starts with a human risk assessment. Far too often awareness programs suffer from “cognitive overload” or when you overwhelm employees with so much information that they can’t remember it all and as a result, they do a big data dump. Instead, you need to prioritize and focus on your top human risks, then identify the key behaviors that will help you manage those risks. This is What you will be focusing on. The fewer behaviors you communicate, the more likely you will change them.
- HOW?: Finally, ask how you are going to communicate those behaviors to your target audience. How are you going to engage them, why should they listen to you? Quite often this is where programs can fail, as many awareness professionals come from technical backgrounds and do not have experience in soft skills such as communication, collaboration or culture. We have to be sure we are engaging people and speaking to them in their language. For this you will need to develop a communications plan based on your organization’s culture, branding and other elements. Fortunately, you most likely have a marketing or communications department that can help you do this.
The Security Awareness Roadmap can help you plan your awareness program: it identifies the five different stages of an awareness program and how to achieve each stage. The roadmap not only serves as a powerful tool to identify where your program currently is, but it can can help you visualize where you want to go and the key steps to get there. Keep in mind your awareness program is a long-term project, as long as you have people you will need awareness training. As such, your plan will always be evolving and changing. However, the core of that plan should always start with three simple questions: Who are you targeting, What behaviors do you need to change and How will you change those behaviors?
About the Author
Lance Spitzner has more than 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and published three security books. Lance has worked and consulted in more than 25 countries and helped more than 350 organizations plan, maintain and measure their security awareness programs. In addition, Lance is a member of the Board of Directors for the National Cyber Security Alliance, frequent presenter and serial tweeter (@lspitzner) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army’s Rapid Deployment Force and earned his MBA from the University of Illinois.