Not too long ago, Cybersecurity Awareness Month was a niche concept for only the biggest security teams. Security leaders at large financial services organizations would dress up in superhero costumes and hand out flyers to their employees, reminding users of basic security concepts such as strong passwords. This was a time-intensive, one-off activity that was limited to those organizations that could afford it.
Fast-forward to now: Cybersecurity strategy is on the agenda of most of the world’s boardrooms. Your employees and customers are much more digitally savvy and expect you to protect them without annoying them. Communicating cybersecurity messages and ensuring that all employees remain cybersafe is no longer a niche activity. In that vein, many CISOs I speak with see this month as a must. Here are some tips to get the most out of Cybersecurity Awareness Month:
- Plan for it as you would for any other security project. This time of year sneaks up on us in security every single year. October — the month of Halloween and Cybersecurity Awareness Month. Cybersecurity Awareness Month is a bit like birthdays, anniversaries, and Christmas. They happen every year, and yet every year some people (like me) are surprised by them and run around scrambling for gift ideas — and then there are others, like my sister, who methodically compile a list of gifts, prepare a menu, and purchase everything months before the event. Be like my sister! Stay on top of planning and start organizing your Cybersecurity Awareness Month campaigns well in advance.
- Use it as an integral part of your security culture journey. Our research report Instill A Security Culture By Elevating Communication is a guide for CISOs and their teams as they traverse the murky and often challenging waters of creating an engaging and binding security culture. No, we’re not talking about perfunctory one-off security awareness and training programs. Up the ante and transform your security culture up, down, and across the organization. And create a hearts-and-minds engagement around the topic of security.
- Combine creative and pragmatic tactics to harden your human firewall. Harden Your Human Firewall contains an inspiring set of awareness and engagement tactics that we collected from around the world. My hope in writing this research was that these tactics would inspire everyone, regardless of their stage of maturity. Awareness teams have come up with a huge body of creative work activities targeting end users during the month of October and as part of their overall journey. This includes escape rooms, games of Monopoly, and books of short stories. Experiential learning and gamification have proved very popular with senior execs.
- Partner with governments and like-minded communities to learn and share ideas. Help build and develop a security ecosystem by engaging agencies and associations to deliver far-reaching solutions. Take an example from the Australian government’s Stay Smart Online team on Safer Internet Day: It collaborated with several CISOs around the country to determine a theme for security communication. They ended up agreeing on the “ask out loud” concept, which organizations used to encourage nontechnical users to discuss security concerns and ask question when they aren’t sure. Another Aussie example: The Australia Security Influence and Trust Group community provides an affirming and energizing way to meet other professionals tackling similar issues and share solutions.
- Determine your outcomes and measure the ROI of your campaigns. We know that many CISOs struggle with justifying any investment in awareness, behavior, and culture activities, and Cybersecurity Awareness Month is no exception. Be clear on the behaviors you want to target during the month, and define a way to measure whether the campaigns you put in place have been successful in changing those behaviors. For example, if you have a booth or an escape room that engages users in selecting strong passwords, measure whether users changed their passwords after taking part. Read more on this in The Business Case For Security Awareness And Training.
- Take the opportunity to review your security awareness and training solution. Like checking your fire alarm once a year, it’s a good idea to check that your SA&T solution is giving you what you need. As Claire O’Malley and I are learning, this is a rapidly evolving market, and what was great in terms of content quality, quantity, and support last year may be letting your organization down this year. We are in the middle of our inaugural Forrester Wave™ evaluation on SA&T as we speak, but we have already published a Now Tech: Security Awareness And Training Solutions, Q1 2019 to help you get a sense of the vendor landscape for awareness solutions.
Happy Cybersecurity Awareness Month!