Large organizations from around the world – and future clients – come to us with questions about how to best plan, launch and manage their internal security awareness programs — questions about metrics and subject matter, types of content and LMS specifics. But one of the most common questions we get asked is, “How do I market my security awareness program to my users? How do I make them care? How do I get them involved?”
Even the most compelling security awareness program is only going to be effective if you have buy-in and participation. How do you get users to participate if you don’t tell them about the program? You can’t just tell them once. You must tell them over and over, in different (and creative!) ways, just like any advertising and marketing program.
The following is by no means comprehensive, but includes many successful strategies and tactics we’ve seen work for many of our clients. We hope they help you, and we invite you to tell us what you would like to see added or something that has worked for you!
Visibility, Frequency and Regularity
Does Coca-Cola only advertise their products once a year at the Super Bowl? No way! They remind us all year long — through print ads, TV commercials, web banner ads, social media campaigns, blog posts, and product placement — that they want us to buy their product. They want Coke in our brains at all times; it’s called Brand Marketing, just to make you aware that they even exist. And drinking soda is not something that’s important like security awareness messaging! Treat your security messages like a product you want your users to buy and get in their faces.
Create a tagline for your Security Brand, an easy-to-remember phrase that will get stuck in your users’ minds. (Just think how often the Farm Bureau Insurance jingle or “Nationwide is on your side” has gotten stuck in YOUR head!)
Make your messaging visible, frequently and regularly, in a variety of mediums. Use weekly/monthly/quarterly email-blasts; post messages and images on your company intranet; implement screensavers with funny awareness posters and incident response information. Advertise where your employees go: Posters in elevators, halls, the bathroom stalls and elevators, monitor displays in the break rooms, put your tagline on the pens on their desks. These are all great micro-learning opportunities. Get creative and have fun with it.
At the end of the day, the goal is to make security awareness a part of corporate culture and not just a chore. For something to become part of the company culture – part of everyone’s mindset – it needs to be heard regularly and be easy to remember.
Package your message in a useful way — this is a big part of sales and marketing. You use packaging to generate demand and create constant consumption. When you think packaging, you probably immediately think of physical package design, which is definitely an important aspect and one that, in the case of an SA program, relates more to how the content is presented. You can advertise the same message (change your password! think before you click! report security incidents!) in many different mediums (monthly email blasts! 2-minute videos! quarterly e-learning training!), targeting different audiences (end-users! middle management! C-levels!). Sell the same product (e.g. message) by changing the package (e.g. delivery method).
A prime example of premium packaging that we’ve seen work at many organizations — especially large, multinational companies — is the Program Launch Video. You should announce the beginning of a campaign; make some noise! A launch video that is short (under 4 minutes), to the point (no BS language) and includes at least a brief message by the CEO* (if not entirely narrated by that person) is the perfect way say “HEY EVERYONE LOOK AT THIS AWESOME INITIATIVE WE’RE STARTING! YOU SHOULD PAY ATTENTION!” Kick your entire awareness campaign off the right way by making a big deal out of it, announcing it with the support of the CEO, and get buy-in from the very beginning.
We’ve seen a lot of companies get some a C-Suiter or CEO introduce the program. We have also heard feedback from the global companies that many Asian and African employees tend to buy-in to messages more if they come directly from the mouth of the head honcho.
Packaging also refers to the presentation of information: Data is one thing. But if the user (or executive or tech admin) doesn’t know how to interpret the data you’re giving them, what good is it? For example, after a vulnerability assessment, you determine you have 6000 vulnerabilities. But that number (data) is meaningless without context (packaging). Are they 6000 critical vulnerabilities or are 4500 of them low-risk? Data is only useful if it is packaged in a meaningful way. The proper packaging can turn data into wisdom.
Data —> Information —> Knowledge —> Wisdom
Now think about your users: If you tell them that 91% of APTs begin with phishing emails, that’s a very interesting piece of data — but only if they have context. Do they know what an APT is? Do they know what the end result of an APT is? Do they know how a phishing email actually leads to the beginning of an APT? Don’t just provide data, but give context to turn that data into useful information that will inform your users, giving them knowledge that they can use to make informed decisions (wisdom).
Reward Your Users
Put yourself in your users’ shoes and ask yourself these questions: Why should I care about security awareness? Why should I bother with all of this training (that seems like extra work)? What’s in it for me?
An informed, security savvy user population is a huge benefit for any company, but it can be challenging to get employees to participate in something they view as extra work, boring, irrelevant or a waste of time. So don’t waste their time – or yours. Incentivize awareness training and activities with prizes for high scores or the most completed training (prizes don’t have to cost a lot – pizza parties, casual Fridays, an extra day off, or small swag items like a coffee mug with the company logo can all go a long way!) Definitely make at least some of it mandatory but make it fun. Gamify things when you can. Think about doing a company wide scavenger hunt or other contest where employees can earn points and compete with one another; try a leader board system (many modern LMSs offer some sort of gamified functionality that allows your users to see where they stand compared to other users. This can inspire a friendly sort of competition.) Think about gamified systems in life — from the girl scout badge and karate belt color systems to apps like DuoLingo and Fitocracy that turn language learning and exercise into competitions.
Remember that old question: what would you do for a Klondike bar? Well, what would you do for a free t-shirt, or a $5 Starbucks card, or an extra sick day? You can bribe (read: reward) your users to take educational (and necessary!) security awareness training with $5 Starbucks cards, pizza parties, casual Fridays. We’ve heard lots of different bribery tactics, from swanky (free iPads and iPods to the first 100 employees who completed it) to the cutesy (small plush versions of the company mascots to everyone who passed). Some companies bribe their employees with competition and prizes — the top ten percent of passing grades will get an extra day paid vacation — and some bribe with something small for everyone just for getting it done — a week of jeans!
Use Content Marketing tactics. The idea behind content marketing is simple: by creating useful, quality content that you give to current and potential consumers for free, you create brand loyalty that will eventually lead to more sales. The key words here are useful and quality. The brands most effective at content marketing (including IBM and Nike ) run kick-ass blogs and social media accounts that provide a ton of helpful tips, quality advice and actionable takeaways for its consumers. Think about your awareness campaign in the same terms: create ‘brand’ loyalty by teaching your users and showing them that you care about them. They’ll be more willing to follow rules and policies, eager to do a good job and protect your organization’s reputation.
Make it personal. This ties heavily into the content marketing idea: provide useful information that relates to them on a personal level and they will pay attention more than if you wag your finger at them constantly telling them what not to do. Try a company-wide “Shred Your Personal Files” day where everyone can bring in their home documents that need to be shredded. Or offer some free videos and online classes about avoiding identity theft or being scammed online. If you teach your users how to protect their families and themselves (i.e. things they actually care about) you’ll accomplish two things: First, you’ll be more successful at actually getting them to engage and pay attention. Second, you’re showing that the company has a vested interest in its employees, which can be used to your advantage — if you care about them, then they’ll probably care about you more. One very effective method we’ve seen used at dozens of organizations is to reach users through their kids. Teach them how to protect their kids. Offer a “Teach Kids Security” day where they can bring the kids in for a workshop about staying safe online. Offer them lots of resources for protecting their kids’ privacy.
Every goal needs to be measured, otherwise how else do you know if you’ve met? “I want to lose weight” is a lot harder to measure than “I want to lose five pounds.” “I want to run faster” is a lot harder to measure than “ I want to run a 10 minute mile.” It’s the same with any security program, both on the vulnerability management side as well as on the security awareness side. Think of security as a business plan. Set measurable goals and come up with a plan for reaching them. You can’t just say “I want my users to be more aware.” How do you measure that? You can say, “I want my help desk to receive fewer password reset calls because my users are better about their own password management” or “I want fewer users to click on links when we send out phishing campaigns.”
If you treat your awareness program like an advertising and marketing firm treats their clients’ campaigns, you’ll find you will be overall more effective. Prioritize —> Correlate —> Validate —> Analyze —> Start Over!
Prioritize goals for the program. Collect and correlate data through a metrics system that works for you (every company has different needs so this is not a one-size-fits-all situation. Many organizations use phishing campaigns as a starting point, and LMSs to track users’ learning progress over time.) Gather metrics regularly to have more accurate trends — e.g. don’t keep running a commercial that isn’t tracking well with your customer base. Validate your metrics by
Also remember this: what good is the data you collect (e.g. the metrics) if you don’t add value to it (e.g. the context of the information) to make it meaningful? Metric are useful ONLY if there is knowledge and resulting actionable items. These, in turn, bring about wisdom – and behavior change!
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Newsletters - January 12, 2017