Intelligent CIO Europe Issue 56 | Page 40

TALKING

‘‘ business connection between education and behaviour that honestly doesn ’ t exist . Security leaders need to understand how awareness , education and behaviour change work .

I think a second challenge is getting the airtime . Many departments in large enterprises are trying to push their messages , whether it ’ s about compliance , money laundering , new processes and systems being rolled out , or even this week ’ s canteen special . Numerous messages are being pushed forward and security can struggle for airtime and get lost in the noise .
The third challenge , referred to already , is the lack of time and resources put into awareness . If an organisation can balance the time and resources spent and are willing to invest in creating compelling content that people love to consume , such as gamification , the results can be effective .
Why is a borderless training platform so crucial given today ’ s distributed – and often hybrid – workforce ?
You can ’ t keep training bound to the office environment anymore as many training techniques we ’ ve used in the past , such as posters and digital signage in the office , become almost irrelevant to the new working model .
You need to think about more contextually appropriate content that will work in different environments . For example , what would work in a home environment ? What would people have on their desks ? What could act as a prompt in their home environments or working on the road ? You need to remember that just a singlepoint deliverable doesn ’ t work . People forget to take steps by prioritising efficiency over security . The border of just having one message pushed across the company is irrelevant without long-term reminders and impact . You need to push different messages , at different times , through different channels so that people absorb the messages . Simply create an environment where the user is continually reminded of the right actions .
How important is it that the training approach is specifically tailored to individuals based on their geography , job role , or even specific users and user profiles ? you ’ re speaking to , to make it relevant to them for an effective result .
How important is a customised , tailored approach to awareness training to enable real behavioural change ?
Lots of organisations will start out doing some phishing testing , receiving results of a 30 % click rate – so one in three people will click on a phish and it is possible to get that down to 1 or 2 %, but to achieve this you need to focus on approaches beyond awareness . Smoking is a great example , there is 100 % awareness that it ’ s dangerous and yet still people smoke . So , awareness does not equal behaviour ; they are not the same thing .
You need to consider other elements influencing behaviour such as motivation . I commonly tell people to stop calling it a security awareness programme , even if you just do that internally within your team . Calling it ‘ security awareness ’ leads you to make the wrong conclusions about what you need to do to achieve your goal . If you call it a ‘ security behaviour change ’ or ‘ security culture change ’ programme , you widen your perspective and will think about the different aspects that need to be brought into your portfolio of tools and techniques to actually change behaviour or change the culture and not just build more awareness .
Why is it important that a training programme is flexible , easy to use and adaptable to changing business needs ?
The only thing the CISO can rely on is change . The threat landscape is going to change , the business will change , the budget will change , the staff around you will change and your priorities will change .
You need to build flexible programmes that you can adapt because when your organisation acquires in a new country , in a new language , you need to be able to apply the same consistent education in that new language and culture as you have for the rest of the organisation .
You need to have the right messages for different roles and you need to have the flexibility to change your tooling , messaging – and content to address the right threats . p
It must be relevant to you in your role . If you can teach with a specific perspective in mind so that it relates to a role or location , then the individual will have a framework or context with which to associate the message and they ’ ll retain it better . You must try and figure out how you can tune the message to the person
40 INTELLIGENTCIO EUROPE www . intelligentcio . com