Here at the Security Awareness Company we believe that a successful awareness program must be treated like an advertising and marketing campaign. Your security message needs to be repeated often, in different mediums, creatively and in such a way that it gets ingrained in your users’ heads.
How many advertising slogans can you repeat without even blinking? (Just do it… 15% or more… Nationwide is on your side… Plop plop fizz fizz…. Trix are for kids…) Wouldn’t it be great if your employees, who are responsible for protecting your company’s data and reputation, could repeat important security messages without even thinking about it? (Think before you click… When in doubt ask… If it’s too good to be true, it is…. Report incidents immediately…. Use strong, unique passwords for every account…)
The best way to get security aware messages into the heads of your users is to put them in front of their eyes often, frequently and presented in such a way that they will remember it. Just like the biggest brands do to you about their products and services.
Of course, most CISOs and IT admins didn’t go to school for advertising and might know nothing about classic or modern marketing techniques. “Run my program like an advertising campaign?” you think. “I don’t know anything about that!” We’ve heard pleas of ignorance from clients lamenting their lack of creativity.
Have no fear! You’re about to get a crash course in advertising and marketing from the master himself: the maddest of all Mad Men, Don Draper.
He may be fictional, but he knew his stuff (or at least the showrunners and script writers knew theirs). Below, we’ve covered ten of Don’s quotable quips and illustrated how they can be applied to planning, creating and managing an effective security awareness program.
1. “There will be fat years and there will be lean years, but it is going to rain.”
Sorry to burst your bubble but your organization is not a special snowflake. You will face a security disaster or two. It’s not a matter of if but when you get breached, hacked or infected.
Even if the current forecast is sunny and clear skies, it will rain. And you will need more than that old umbrella sitting in a dusty server room. You’ll need a poncho and rain boots and a few shiny new umbrellas, but you’ll also need people who watch where they step, who drive safely in the rain and who can help you shut all the windows as the wind starts to blow.
2. “Stop writing down what I ask for and try to figure out what I want.”
There’s this famous Henry Ford quote (that he apparently never said but it gets attributed to him constantly and is repeated often because it’s quotable and makes a great point): “If I had asked people what they wanted, they would have said faster horses.”
It doesn’t actually matter that he never said it because the point of the quote is this: Henry Ford looked at real problems, and came up with innovative and unheard of solutions that people couldn’t articulate or even knew they needed. He didn’t look at what people were asking for; he figured out what they wanted. Don’t ask execs or management what they want, they might not realize what they actually want or what they need. They might only look at the NOW — We’re getting phished! Teach users to stop clicking! — instead of looking AHEAD at what problems may rise or get worse down the road.
Your entire security program — including vulnerability assessment and management, and your awareness campaign — must support strategic business objectives. Everything you do must address the financial risk and technical threats that executives are worried about. But you can’t just work reactively, playing whack-a-mole with vulnerabilities and current problems; you can’t just fix what they ask you to fix. You must look at the future. What security issues will threaten you six weeks from now? Six months from now? Six years from now? It is your job to provide a road map for executives, to figure out what your organization really needs: what are you doing now to protect the organization’s integrity? What do you need to continue doing so? And how much will it cost as you make improvements to your plan?
Remember: Executives never want to spend money, especially if they think they just want a faster horse. So present them with a car and show them how far and fast they can go. Before long, they’ll forget about the horse and think they needed the car all along.
3. “You want some respect? Go out and get it for yourself.”
When a new product shows up on the shelves, consumers don’t immediately trust the brand, and many aren’t willing to even risk trying it out. After the product has been around for a while, and some of their friends start to swear by it, consumers will invest their dollars in it. Or, it’s a product so new and shiny that customers didn’t even know they wanted it and it has such an effective marketing campaign that they line up to buy the beta version.
It’s the same with gaining C-level support and a big enough budget. You won’t get what you need without working for it. Stay on top of data breach statistics that you can use in presentations to your executives. Choose a measurable goal (such as fewer calls into the help desk; fewer password resets; fewer users clicking on phishing links; etc.), keep track and compile an easy-to-read report with the information. Collect feedback from your users. Put together a comps report – this is done in the publishing world so the marketing team can plan how best to market a new book by looking at how similar books are faring in the market. You can use the underlying concept to see what your competitors are doing in terms of security. How often do similar organizations have security incidents? How do they combat security threats? How much do they spend on their yearly security program?You have to work for it, but once you get respect and buy-in from upper management and the C-levels, you’ll find you have an easier time getting the respect and buy-in from your users.
4. “I’m glad that this is an environment where you feel free to fail.”
Don was being sarcastic when he said this but this concept is actually very important in most endeavors (especially those that include any creative angle): failure is not the end of the road but a pitstop on the way to success. Not all things work and the things that do work won’t necessarily work overnight. Educating a user base takes time and creativity. There is no One Size Fits All method for training. People learn in different ways so the hour-long training module that appeals to your older employees might not work for the millennials. Be willing to try different training methods, different approaches both in content and delivery. Be willing to ditch the things that aren’t working and take risks on new ideas. Failure is not the end of the path but a stepping stone on the way to success.
5. “Change is neither good or bad. It simply is. It can be greeted with terror or joy — a tantrum that says ‘I want it the way it was,’ or a dance that says ‘Look, something new.’”
Many organizations find resistance when they launch a program. It’s something new and new is scary. Resistance from C-levels and execs, resistance from management, resistance from employees. How do you combat it? How do you get buy-in from every level? How do you get people to stop throwing a tantrum about the changes you’re making and get them to do a dance, excited for the New Shiny Thing you’re presenting them?
Part of your job when launching and managing a successful awareness campaign is to remind people (execs, users, techs, everyone!) about the constantly evolving challenges and threats that face your organization. We must constantly evolve, learn, and adapt if we want to stay ahead of the game. There’s a famous quote misattributed to Darwin (actually said by Leon Megginson about Darwin’s work): It is not the most intellectual of the species that survives; it is not the strongest that survives; but the species that survives is the one that is able best to adapt and adjust to the changing environment in which it finds itself. Part of your (challenging) job is to prepare your user base for these evolving threats, the evolving landscape, and get them to embrace the changes you present.
There are many ways in which you can combat the resistance and get your organization to greet change with joy – whether it’s changing the direction of your awareness program or beginning one from scratch – and we’ll cover a few of those tactics below.
6. “You, feeling something, that’s what sells.”
“Nostalgia: it’s delicate, but potent … In Greek, ‘nostalgia’ literally means ‘the pain from an old wound.’ It’s a twinge in your heart far more powerful than memory alone. This device isn’t a spaceship, it’s a time machine. It goes backwards, and forwards … it takes us to a place where we ache to go again. It’s not called the wheel, it’s called the carousel. It let’s us travel the way a child travels — around and around, and back home again, to a place where we know are loved.”
Okay so it’s two quotes for the price of one. They’re about the same thing and hopefully using two quotes will reinforce just how important this point is: Your users do not care about you, your clients or your organization. Your users care about one thing: themselves.
So how do you get them to care about protecting your organization and the data within? Make it personal! Hit them in the feels. Think about those insurance commercials that make you cry or commercials with animals that make you say “awww”; commercials that make you FEEL something will stay with you longer.
It’s the same with teaching important messages. If you teach your users how to protect their families and themselves (i.e. things they actually care about) you’ll accomplish two things: First, you’ll be more successful at actually getting them to engage and pay attention. Second, you’re showing that the company has a vested interest in its employees, which can be used to your advantage — if you care about them, then they’ll probably care about you more. So once you’ve taught them how to protect themselves from ID thieves and phishing scams and hard drive failures and malware, you can explain how they can use the same newly acquired skills to protect the data of the organization and its clients.
Don Draper came from the old age of advertising and marketing so he didn’t get to see the new (and, in this writer’s opinion, awesome) technique of content marketing. The idea behind content marketing is simple: by creating useful, quality content that you give to current and potential consumers for free, you create brand loyalty that will eventually lead to more sales. The key words here are useful and quality. The brands most effective at content marketing (including IBM and Nike ) run kick-ass blogs and social media accounts that provide a ton of helpful tips, quality advice and actionable takeaways for its consumers. Think about your awareness campaign in the same terms: create ‘brand’ loyalty by teaching your users and showing them that you care about them. They’ll be more willing to follow rules and policies, eager to do a good job and protect your organization’s reputation.
7. “Advertising is based on one thing: happiness. And do you know what happiness is? Happiness is the smell of a new car. It’s freedom from fear. It’s a billboard on the side of a road that screams with reassurance that whatever you’re doing is OK. You are OK.”
Two things motivate people: fear and desire. Which one will be more effective within your organization? (We often find it’s a balance of the two.) We always recommend starting with desire, as it focuses on the positive and can elicit a more engaged response from your users. But occasionally, it’s helpful to throw in a dollop of fear-based motivation. Not FUD-y, but the actual negative side of things that could affect them. For example: Why do people exercise? To look and feel good (desire) and to not die of high cholesterol (fear). So why do your users both following policy? What will motivate them?
Fear comes from the unknown, so how do we free people from fear? Through education. An employee might worry I’m not doing something right or I don’t even know if I’m allowed… Your users may have uncertainty about their actions that leads to inaction. Teach your employees policy, ensure that there are consequences for both following and not following policy, and teach more than just the “what” of the policy – dig into the ‘why’ and the ‘how.’ If you treat your awareness program less like a shaking finger “don’t do this” and more on empowering your users through education, you will give your users that freedom from fear.
8. “We all try. We don’t always make it.”
Don’t punish inadvertent mistakes. You should definitely have negative consequences for not following policy or for directly breaking the rules, but if someone fell for a phishing scam or forgot their badge one day, don’t punish them. Remind them of the rules, and the reasons for them, and encourage them to be more proactive in their awareness behavior.
9. “People want to be told what to do so badly that they’ll listen to anyone.”
What’s the current state of your company’s security policy? We’ve seen organizations try to run awareness programs without any actual policies in place. People need rules to follow, and they need to understand the consequences of both following and breaking the rules. Maybe it’s time for you to re-evaluate your policies — Do they all make sense? Are any of them seemingly arbitrary? Are any of them outdated? Then, make sure the policies are written in easy-to-understand language that doesn’t require a lawyer to translate them. Finally, establish consequences (both positive and negative) and actually enforce them. If a user who breaks policy only gets a slap on the wrist, what’s going to motivate them to not do it again? If a user never gets praised for a job well done, what’s the encourage them to work hard in the future?
10. “Success comes from standing out, not fitting in.”
Do you watch all the commercials that air on TV? If you’re like most people, you tend to mute, fast-forward, or take a bathroom break. But every now and then, you’ll turn up the TV and watch an ad. Why? The commercials that make you take the time to watch them (or even look them up on YouTube later) stand out. Treat your awareness program in the same way to keep people tuning in instead of zoning out.
Your awareness program can’t be boring. Be willing to user humor, music, comics, social media; be willing to try anything that might resonate with your users. Develop a mascot or logo specific to your department; use bold colors, interesting photos and fun infographics; use games and jokes, comics and parody songs. It might sound risky, sure, but without risk, there’s no reward.
It can’t look like every other kind of internal communication your employees are used to receiving. They will most likely ignore it. Make your program announcements stand out. One tactic for standing out is to come up with a tagline or two that help reinforce the mindset you’re trying to encourage. Taglines become part of cultural zeitgeist (Milk does a body good; Just do it; 15% or more on car insurance; Nationwide is on your side…) Creating a memorable phrase or two that your users will always think back to will help make security awareness a part of the corporate culture and not just a chore that has to be done, not just a rule that has to be followed. By approaching your security policies from an advertising angle, they won’t feel as much like rules boxing in your users but just a way of life at your organization.
Now get out there and sell some security awareness!
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Newsletters - January 12, 2017