From the worst of days…to awareness raised

7 March 2019

• We learn much from our mitsakes• But we learn better from other people’s• In my role I get to do both

• We learn much from our mistakes• But we learn better from other people’s• In my role I get to do both

‘From the worst of days to awareness raised’

Any resemblance to actual persons, living or dead is purely coincidental

Remember this:

• Awareness is essential• But it’s only the first step

• We want ‘unconscious competence’• Instinctive behaviour is ‘unaware’

StrategyCulture

• Culture is human• Emotional, organic• Drives values• Manifested through

practices and behaviours

• Strategy is executive• Logical, rational• Guides goals• Manifested through

planned activities

→ Security

But it’s not a motivator.

• Minor dissatisfier• ‘Hygiene factor’

How to change something so rooted and yet invisible?

Strategies work best when they align with culture:

• Know your culture• Use its language• Don’t go against the grain

• Everyone loves a hoodie• L&D, internal comms, security – all

are on-board• But not your CIO…

Influ

ence

High Influential observers

Key players

Low

Spectators Active players

Low High

Interest

CIO CIO

• e-Learning started out well• 90%-plus completions• But the rates are falling away quickly• Time for stick or carrot?

CBT or e-Learning can become a box.

Break out of it with blended learning:

• Face-to-face makes it real• Roadshows, workshops, ILT,

role-playing, games• Engage high-risk users

CBT or e-Learning can become a box.

Break out of it with blended learning:

• Face-to-face makes it real• Roadshows, workshops, ILT,

role-playing, games• Engage high-value colleagues

• Cyber champions began with enthusiasm

• All departments and locations represented

• One year on, meeting attendance is dwindling

• Grumbles from the champions are rising

• Time for the axe?

Change agents are vital to sustaining awareness and behaviour change.

But they themselves need sustaining:

• Root them firmly• Water carefully• Feed them well

• Phishing attack was unusual

• Several senior leaders fell for it

• Despite 5% click-through rates on simulated phishing

Awareness needs measuring.

But the metrics should be fit for purpose:

• Participation ≠ engagement • Outcomes are what matters• Diversify your measures

• Campaign was green-lighted• Then it was amber• Now it’s been put on hold

until… when?

Bandwidth overload in many organisations.

• Hitch a ride if fit is good• Go tactical• Patience pays

‘GDPR’ – remember the DP

‘Safety first’ – security second?

‘Work anywhere’ – securely

1993

From the worst of days to awareness raised

www.thesecuritycompany.com