Cybersecurity awareness training is a formal process for educating employees about information security. We wrote an extensive article covering the what, who, how and when of cybersecurity awareness training earlier this week, so this article isn’t about employee training. Rather, it’s about how an organization makes awareness training impactful, and creates a culture of awareness around cybersecurity.
Pushback on employee awareness
Often we hear pushback on the actual impact of security awareness training. IT leaders suggest that employees barely pay attention, they get annoyed, they don’t learn, or that training won’t prevent every incident.
The negativity typically boils down to ‘You can’t fix employees.’ Unfortunate leaders have actually said, “You can’t fix stupid.” This approach of fixing employees or checking a box for awareness training dooms a cybersecurity awareness program from the start.
Differentiating the business with information security
The training part is just the beginning - it’s level 1. The goal isn’t to check a box to tell your customers, auditors, and stakeholders that you’ve trained employees. The goal is to create a culture of awareness, reduce the risk of a breach to the organization, and differentiate the business with information security.
Leaders play a pivotal role in this process - starting at the top. CEOs and business owners must pull cybersecurity out of its silo in IT, and spread the responsibility amongst their peers. The CEO can accomplish this task by creating a vision that includes cybersecurity - for everyone.
The CFO must understand and buy into how cybersecurity will impact that role - not just because the CFO will be targeted by sophisticated attacks, but the top and bottom lines will never look the same following an attack.
The CTO must understand how to build security into the product.
The COO must understand how policy impacts operations, and how operations impact policy.
Sales leaders must understand how a breach will impact their numbers and their team.
And of course, the CIO/CISO must understand how to make the most of a limited budget to build security into and across an organization.
This is as important as training employees because if leaders don’t believe in the purpose they won’t enforce it. They won’t discuss it in their weekly meetings. They won’t address an employee that’s not following the acceptable use policy because ‘the high performing employee deserves a pass.’ They won’t follow policy or best practice themselves.
They just won’t get it - and their reports will follow.
Challenges of Leaders are Different than Employees
When developing a leadership team that understands cybersecurity, we must understand that the challenges of leaders are different than the challenges of employees. While they face all of the same risks as an employee, they also face much more sophisticated attacks.
Take for example the well known attack on CFO’s in which the cybercriminal spoofs a CEOs email, and requests a wire transfer from the CFO. If the email is spoofed, it will be indiscernible from an email from the CEO. If the attack has been planning for a while, they’ll copy the language of the CEO. They will know she’s out of town, and they’ll use all of that to create a scenario that makes detection near impossible for the CFO.
These leaders not only face the same threats as the employee, they face highly targeted attacks and must be on top of their game.
Training Leaders to Support Employees
This may be deep for a blog post, so I hope I don’t lose anyone here. Leaders lead. That’s it. That’s the deep part. They lead sales, they lead finance, the lead a team, they lead an organization, and they lead cybersecurity, or not.
Let’s repeat something from the beginning of this post.
This is as important as training employees because if leaders don’t believe in the purpose they won’t enforce it. They won’t discuss it in their weekly meetings. They won’t address an employee that’s not following the acceptable use policy because ‘the high performing employee deserves a pass.’ They won’t follow policy or best practice themselves. They just won’t get it - and their reports will follow.
For the leader to lead, they must first know, understand, and believe in cybersecurity awareness. They must know and understand company policy, best practices, and reporting procedures. Once a leader understand all of this they can open the communication channel to their reports, provide direction, and provide support.
Learn more about our half day workshop that prepares your leadership team to support a culture of cybersecurity awareness.
To be clear, leaders do not have to take the role of IT for their reports, but they do have to support their reports to follow best practices.
A real life example might be that there’s a deadline by the end of the day, and the leader needs a full report of sensitive information by 14:00. It’s 13:55. A traditional method to transfer that information is by USB drive, or perhaps email. In the interest of time and effort, that may be the easiest to meet the deadline. However, company policy says they can’t use removable hard drives, and they have to use an encrypted file transfer for sensitive information. In’s theory that’s easy to say, but in practice most managers would grab a hard drive they picked off the conference floor just so they can meet their deadline. Buy-in from leadership is about making leaders and employees confident enough to take the extra time to follow policy, even if it takes longer.
Creating a culture of awareness
Creating a culture of awareness starts at the top. In our consulting we utilize traditional organizational behavior change methodologies to create a culture of awareness within our customers organization. The general process that organizations should follow is this:
1. Create a purpose to believe in
Creating a culture of awareness starts with creating a purpose to believe in for every person in the organization.
2. Lead by example
Raising awareness of the risks in the boardroom and creating a shared vision for the organization provides a base for organizational behavior change. Leaders must then lead by example - following policy and procedures so employees follow them.
3. Employee Awareness
An employee awareness program establishes best practices, codes of conduct, and provides a baseline of measuring individual risk performance.
Communicate the challenges happening to peers in an organization to create an understand among staff that cyber risks are happening every minute of every day.
Employee cybersecurity awareness training is more than just checking a box. It’s more than just assigning a training module to your employees.
Creating a culture of cybersecurity awareness starts with the CEO and CIO, and disseminates throughout the organization. A culture of cybersecurity is not an event, rather it’s a process.
The organization, top to bottom, must believe that cybersecurity creates differentiation for them in the market.
We hope this becomes a starting point for creating a culture of cybersecurity awareness within your organization. To learn more about our onsite half day workshops that prepare your leadership team to support a culture of cybersecurity awareness, schedule a discussion on the bottom of https://wuvavi.com/leadership-training/.
Jon Santavy is the CEO of Wuvavi (www.wuvavi.com) – the world’s leading employee cybersecurity awareness platform for small and medium sized business. Through innovative training, simulated phishing attacks, and the right analytics, Wuvavi customers reduce their employee related cybersecurity risks and create a culture of awareness in their organization.*
Main Image Credit : The awesome piece of artwork used to head this article is called 'Newtons Cradle' and it was created by graphic designer Krzystof Dziedzic.