I have just returned from ISC2 Zurich where I delivered, alongside Dr. Ciaran McMahon and Dr. Jessica Barker, a third workshop on awareness, behaviour and culture. The workshop was hosted and organised by ISC2 as part of their 2017 Secure Summits events. The number of CISSP’s in attendance suggests, yet again, further evidence of the growing interest in trying to find alternative ideas for tackling the challenge of raising awareness, influencing behaviour and embedding security into an organisation’s culture. As with all of our workshops we ask participants to submit, in advance of the events, any challenges they are having which they would like us to cover off during the workshop.
Six key themes emerged, here’s a summary of my thoughts on each:
1. What Does Good Look Like?
Good to me is about having a demonstrable process for achieving your defined and authorised objectives, for awareness, behaviour and culture and then sticking to it. In my experience many people look at what other organisations have done for inspiration. But what everyone else does is not necessarily good, or more specifically, would be suited to your own organisations needs or budget. Good to me, looks like an awareness campaign which incorporates insights from behavioural science, amongst other things, to increase the likelihood of influencing behaviour.
2. How to Deal with Heterogeneous Stakeholders
People can be very different. Who we are is the combination of our varied life experiences and personal characteristics. However we are all born with some common denominators. In the vast majority of cases, on a deeply physiological and psychological level, we are the same. We process information, in the same way, whether we are the CEO or the customer services agent, whether we are born in India or France and whether we are generation X or Y.
Understanding the common grounds between us, and developing an approach to awareness, behaviour and culture which leverages these, is one way of tackling our heterogeneous stakeholders.
3. Metrics: How to Measure Awareness, Behaviour and Culture.
For me the starting point is to clearly define what you mean by awareness, behaviour and culture, and then work back from there. In all of my workshops it is very common for attendees to have no definition of what they, or their organisations, mean by awareness, behaviour or culture. If you do not know what you mean by something how can you start the process of measuring it in a meaningful way?
4. Positive Culture vs. Punishment
People get things wrong. Sometimes this is down to deliberate, negligent actions and sometimes it is a matter of carelessness or under mitigating circumstances. Sometimes it is also down to the effectiveness of the training they receive regarding their roles and responsibilities. Punishment has often been seen as the means of motivating employee to comply with organisational policy. However there is evidence, both anecdotal and scientific, that it is not as effective as people assume. Another approach, proven to bear positive results, is to recognise good behaviours, in both a public and private way, and reserve disciplinary measures for only the worst examples of malicious or negligent, security behaviours.
5. Management not Complying with Policies & Procedures
This is a common complaint. Understanding why people don’t comply seems to be the first step. There may be some very good and reasonable explanations. If so, then try to address these explanations in a transparent way. One of the common explanations you hear being reported as to why senior managers don’t comply, is that they justify their actions based on “their perceived importance”. I like to acknowledge the justification, of being important, and turn this around as the explanation why their importance is likely to make them more of a target.
6. How to Maintain the Message in People’s Conscious
Maintaining as consistent a level of awareness as possible is essential. Many people attend awareness training only to forget what they thought they had learned within a short time frame. Frequent engagement, in shorter bursts, is one way of maintaining a higher level of awareness. But understanding the science behind memory retention and retrieval, and incorporating this into the development of awareness campaigns can be of help.
Some Final Thoughts…
Having now presented the workshop of awareness, behaviour and culture, to in excess of 300 security professionals, there are some common trends appearing in the discussions I am having off stage. The themes challenging the attendees are consistent. There is a shortage of skills and experience in the disciplines needed to demonstrably raise awareness, influencing behaviour and embed security within an organisational culture. However there is a willingness, amongst many security professionals, to step up their game with regards to these disciplines, but a significant lack of time in which to develop these new or existing skills.
How do the issues raised in this article compare with your own? I’d love to hear from you, either in the comments section below, or feel free to contact me.
We run regular scheduled and bespoke training courses and workshops dealing with these issues throughout the year via my consultancy, Marmalade Box. These take place in various locations around the globe. If you would be interested in participating, find out where we will be next here, or just get in touch for a chat. I look forward to hearing from you.