Welcome to yet another cybersecurity article … wait, wait, don’t go anywhere. I promise this one is different. As a recovering engineer turned learning and development (L&D) technologist, I’ve learned that cybersecurity isn’t achievable through just training alone. Cybersecurity must be the backbone of a company’s culture—present in every business area—to be achieved. I get it; building a company culture takes a long time and requires buy-in and commitment from everyone. Don’t worry; I’ll walk you through how to create a security culture and get buy-in across the organization.
In an age in which news outlets from TMZ to The Wall Street Journal regularly report on data breaches, we may become numb to the issue. Depending on your industry, you have clients and governments hounding you to train your employees on data privacy and information security. We can no longer look at security training as a box-checking activity. We need to energize our program and people with our wins! How many phishing attempts did we block and report? How many network penetration attempts did we stop? You should be broadcasting this information to your employees and making them part of the win.
We have an opportunity, as talent development professionals, to create a new culture within our organizations. Security awareness training is not a fad. It will not be replaced by another knee-jerk reaction to a global issue or market trend. As digital storage, mobile devices, and information sharing evolve, so must your program. This is not about buying off-the-shelf content to check a box during an audit anymore. It is no longer about creating awareness. So, if it is not about creating awareness anymore, what should our security awareness programs be doing? Our security awareness programs must be creating and fostering a security culture!
What is security culture?
Security culture is defined as the act of developing intellectual and moral faculties, especially through education. I like this definition for our purpose because it is no longer enough to hold annual training. Awareness is no longer good enough. Awareness does not strengthen the weakest point of physical infrastructure or data network, i.e., the humans who use it. Awareness is not just a check box on an audit sheet or a marketing presentation. You build a culture based on security by developing your employees year-round; consistently communicating, educating, and engaging with your employees; recognizing the wins and losses; and, yes, testing.
How to show the value
We have the opportunity to change the view of mandatory and compliance trainings from an eyeroll and a moan-inducing requirement, in most businesses, to an exciting, engaging, educational opportunity that provides a critical life skill. This is the method that lends itself to changing hearts and minds. Again, we must create a culture where employees are invested in the company’s security performance. To do that, we need to sell people on the benefits and, as always, what’s in it for them!
Honestly, selling a security culture may be the easiest thing you ever do in your professional life. Take a room of 20 people; someone in that room has experienced identity theft, phishing, credit card skimmers, or malware or has maybe even been the victim of a physical crime. Using the personal stories of your employees helps create buy-in and builds value while further driving home the importance of your security culture. Remind your learners this is not just policies and procedures. Security is a new life skill they will use daily in their personal and professional lives. Through it, they will enrich those around them in their personal lives with the information and skills developed and nurtured through the security culture at work.
One of the methods I used across multiple industries is sharing employees’ stories. Sharing news stories is all well and good, but if you can create an emotional response to your learning content, it helps the brain write that information into long-term memory. If you love brain science and white papers, check out The Influences of Emotion on Learning and Memory.
Security training toolkit
There is no perfect time to start implementing your security culture program. You just have to do it! Get your sponsors together, get your messaging right, and roll out. This is an infinity program there is no start or end—it is your new constant. Your program needs to be flexible enough to pivot to address new and potential threats as identified by your security team or Cybersecurity and Infrastructure Security Agency (CISA). However, it would be best to have a quarterly plan so you are not scrambling for content every week or whatever your cadence is.
Building a cultural program allows you to get out of your training comfort zone. Expose your learners to new learning methodologies and exciting delivery mediums. Below are some methodologies and delivery mediums that have worked well.
- Microlearning video—short informational videos that are 90–120 seconds.
- Pop culture/meme posters—Place them in break rooms and cafeterias. Try to rotate them quarterly to keep things fresh.
- Quick reference cards—new threats, protection solutions, best practices, etc.
- eLearning modules—not to exceed 6 minutes.
- TED Talks—(my favorite: This is what happens when you reply to spam email).
- Written articles/blog post—Maybe use this one to help explain your change in culture.
- Podcast/vodcast—with security personnel, clients, vendors, consultants, etc.
- Quarterly Q&A/roundtable sessions.
- Tabletop exercise. (Homeland Security has a generic template you can customize.)
- Drip learning—Create a time-released learning path that releases content on a schedule you set. This helps maintain your cadence and engagement with employees while not overloading them with information. Keep it micro 6-minute interactions.
- Spaced repetition—Follow up complex content or vitally important information with small bursts of questions or content to bring the content back to the front of the mind and help aid the brain in writing the information into long-term memory.
- Penetration testing—Commonly called pen testing, this is an authorized simulated cyberattack on a computer system performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. Normally you hire an outside firm like any financial audit to perform this test.
- Phishing e-mails—bad links and attachments.
- IT “infected” USB drives scattered about your campus.
- Workspace search for username and password stickies. Check under keyboards and mouse pads.
I’m a big fan of ensuring I alternate content types in every communication. Build out your schedule, and set up your topics and delivery method/medium. This is a nonstop program. If you don’t build in the variety, you will burn yourself and your audience out! Content fatigue is real; you will lose your learners’ engagement if you become repetitive or predictable.
Develop and maintain a cadence
Remember, building a culture is not easy. There is no “set it and forget it”! You are developing a mindset shift and skill set across your company against the world’s fastest-changing threat. It requires a creative and nurturing program that instills a healthy sense of paranoia, not crippling fear. You need to be consistent in your approach and engagement with your employees. Any slippage may create the perception that it is not as important as it is. Be realistic in developing your schedule for creating and releasing content. If you can only engage monthly, then that is your cadence. There is no right or wrong answer to this. It’s just about being sincere and consistent.
Rewards and recognition
A rewards program is one of the most successful ways of preventing slipping after year 1. Incentivize employees to identify and report real, perceived, or questionable security issues. The rewards don’t have to be cash or prizes. Rewards can encompass any recognition: a certificate, badges (look at for inspiration), extended lunch breaks, or using a designated parking spot. Just be creative and genuine. You are encouraging and supporting a culture change.
We all know people are the weakest part of any security solution. Creating ownership makes everyone an extension of the security department, where every employee in any organization has a dotted line to the head of security.
Assess and evaluate your program
In the world of cybersecurity, whether your program is working or not is an easy question to answer. Have you had a data breach? Received malware or ransomware? Remember, you are playing the long game here, and change takes time, but this approach works.
Sean McGinty is an L&D professional with over 20 years of experience in design, development, facilitation, and evaluation of corporate L&D programs and a full understanding of learning theories and international trends. He also holds ATD Certified Professional in Talent Development (CPTD) and Modern Classroom Certified Trainer (MCCT) certifications.
Always striving for innovation, McGinty has helped guide companies as they modernize their learning departments by evolving from purely instructor-led training to blended learning environments, along with the implementation of learning technology stacks. Throughout the years, McGinty has spoken all over the United States at conferences and local events and on podcasts on L&D topics. He also sits on the following boards and committees:
- VP of Program Logistics for ATD RTA
- Conference Planning Committee for ATD Carolina
- Advisory Committee Member on Cybersecurity for Executive Education University of South Florida Muma College of Business
Who to follow?
Because of the ever-changing nature of cyber and infrastructure threats, I use Twitter to stay current. There is no shortage of security experts on Twitter, but below are my favorite follows: