From the worst of days…to awareness raised
7 March 2019
• We learn much from our mitsakes• But we learn better from other people’s• In my role I get to do both
• We learn much from our mistakes• But we learn better from other people’s• In my role I get to do both
‘From the worst of days to awareness raised’
Any resemblance to actual persons, living or dead is purely coincidental
Remember this:
• Awareness is essential• But it’s only the first step
• We want ‘unconscious competence’• Instinctive behaviour is ‘unaware’
StrategyCulture
• Culture is human• Emotional, organic• Drives values• Manifested through
practices and behaviours
• Strategy is executive• Logical, rational• Guides goals• Manifested through
planned activities
→ Security
But it’s not a motivator.
• Minor dissatisfier• ‘Hygiene factor’
How to change something so rooted and yet invisible?
Strategies work best when they align with culture:
• Know your culture• Use its language• Don’t go against the grain
• Everyone loves a hoodie• L&D, internal comms, security – all
are on-board• But not your CIO…
Influ
ence
High Influential observers
Key players
Low
Spectators Active players
Low High
Interest
CIO CIO
• e-Learning started out well• 90%-plus completions• But the rates are falling away quickly• Time for stick or carrot?
CBT or e-Learning can become a box.
Break out of it with blended learning:
• Face-to-face makes it real• Roadshows, workshops, ILT,
role-playing, games• Engage high-risk users
CBT or e-Learning can become a box.
Break out of it with blended learning:
• Face-to-face makes it real• Roadshows, workshops, ILT,
role-playing, games• Engage high-value colleagues
• Cyber champions began with enthusiasm
• All departments and locations represented
• One year on, meeting attendance is dwindling
• Grumbles from the champions are rising
• Time for the axe?
Change agents are vital to sustaining awareness and behaviour change.
But they themselves need sustaining:
• Root them firmly• Water carefully• Feed them well
• Phishing attack was unusual
• Several senior leaders fell for it
• Despite 5% click-through rates on simulated phishing
Awareness needs measuring.
But the metrics should be fit for purpose:
• Participation ≠ engagement • Outcomes are what matters• Diversify your measures
• Campaign was green-lighted• Then it was amber• Now it’s been put on hold
until… when?
Bandwidth overload in many organisations.
• Hitch a ride if fit is good• Go tactical• Patience pays
‘GDPR’ – remember the DP
‘Safety first’ – security second?
‘Work anywhere’ – securely
1993
From the worst of days to awareness raised
www.thesecuritycompany.com