It was great to be invited back by ISC2 to build on over 2 years of sharing insights, with ISC2 members, into the human side of information security and my SABC (Security Awareness, Behaviour & Culture) framework.
This time ISC2 had reformatted their regional events and instead of running them for 1 day its members could benefit from 2 days of intense insights, sharing and networking on the topical issues within information security.
I was invited, along with Dr. Jessica Barker and Dr.Ciaran McMahon, to bring our successful workshop, delivered at ISC2’s 2016 EMEA Congress, on awareness, behaviour and culture, to the Benelux event hosted in Amsterdam.
My first observation was the number of people who attended the workshop. The room was full and the workshops were fully booked! We had over 60 attendees at each workshop. I would like to think this is a reflection of a pivot, across the industry, to the need to re-think the human factor.
As a pre-cursor to the workshop we asked attendees to send in their specific questions and challenges. Jessica created some themes which seemed to be consistent across the questions we were sent. I’ve included the theme’s below and also some, but not all, of my responses to the workshop attendees.
A. How to get people to actually engage in security, not just passively absorbing training/comms
B. Balance in policing behaviour and in having a trusting culture (“why should I lock my workstation, I trust my colleagues”). How to enforce security in a workplace that does not want to punish staff
C. Building consistent / continuous security awareness/behaviour/culture – how to turn awareness into embedded behavioural change and a strong culture of cyber security
D. How to communicate to multiple target groups / different roles / ages
E. How to make awareness-raising engaging and interesting
Here’s some responses I gave to the themes above obviously shortened for brevity sake :
A) The most effective engagement requires two way communication. Many “awareness” activities are focused on pushing messages to audiences.
B) Punishment as a means of motivating people, on its own, is less effective than most would think especially when there’s evidence that people are not held to account else where.
C) Consistency is often over looked when it comes to awareness activities. This starts with a consistent brand, message, standard of writing and tone of voice amongst many other things.
D) Often, for costs reasons, activities to “raise awareness” focus on a very limited number of channels for communication. Whilst this may seem reasonable the reality is that people have preferences for how they receive and remember messages. A one size fits all approach to communication is not that effective at engaging with audiences and influencing behaviour.
E) What is engaging and interesting is different for different audiences. If someone tells you what is interesting and engaging, for your audience, without understanding the audience and environment within which you operate, then they are failing to understand what marketers have known and practised for decades.
Whilst the themes show a mixture of awareness, behaviour and culture queries the over riding phrases we most saw, in the emailed questions, were behaviour and culture. Awareness, itself, was a “means to an end”. The end being behaviour and culture.
I’ll be writing a short article, after all 6 of my workshops with ISC2, in 2017. If you’d like to know when I have written an article, why not subscribe to the blog using the subscribe box on this post. You’ll also be able to listen to my Re-thinking the Human Factor podcast starting in May 2017.
To find our where the next ISC2 Secure Summit will be held, get the full details and listing here.