A recent blog posting at the InfoSecurity website suggests that instead of moaning about how employees are the weakest link in your security chain, you take steps to make them the strongest. “Persuading Employees They Are Your Organization’s First Line of Defense” by Chris Barrington describes the strategic approaches for getting the security message across. Barrington offers eight different considerations for your messaging. I won’t describe them all here because it’s a succinct post, and you can read it in just a minute or two.
I just wanted to point out something that I observed about each of Barrington’s considerations. They all have to do with going beyond formulating the content of your security message to deeply considering what the message means to the audience.
Getting a share of employees’ minds isn’t just a matter of catchy wording or eloquent rhetoric. It’s a matter of thinking deeply about the specific needs and interests of your audience and then crafting the message to appeal to those needs and interests. The implicit message, of course, is always, “the company needs your cooperation to prevent attacks.” And it should be enough to appeal to every employee. But it probably isn’t, because it’s separated by more than a couple layers of abstraction from the day-to-day concerns of your employees.
Imagine you are giving a presentation on the importance of cybersecurity to a group of employees. You assume everybody in the audience is focused on what you are saying. But you are addressing an audience of human beings. One has a child home sick from school. Another has just had an unfavorable performance review. Yet another is closing on a new home tomorrow. Still another had a deadline for a deliverable at the end of the week. How can your remarks about password hygiene and screen savers compete successfully with those kinds of concerns?
Whether you like it or not, it’s your job to sell cybersecurity to your employees. Sales professionals know that the first step in the selling process is to analyze the audience and figure out what’s in it for them. Of course, keeping their jobs should be an effective motivator, but the possible loss of a job is an eventuality, while the sick child, the unfavorable performance review, the closing on the house are immediate demands. And it’s human nature to attend to immediate demands first.
My advice is to first show them where the pain is. Find a way to vividly illustrate the danger. You might cite a case from the business press (there are plenty of them), just be certain to note how many people lost jobs. Or you might try demonstrating their vulnerability to them with something like our CyberSAFE Readiness Test, a 15-question test designed to determine how well employees recognize and avoid cyber threats. When we rolled out the test, less than 10% of participants passed. (For more information about the CyberSAFE Readiness Test and to receive access to the test at no charge, please contact us at +1.800.889.8350.)
Once you’ve got them focused on the pain, they will be far more receptive to the cure. Whether it’s the Logical Operations CyberSAFE class or some other program, it’s bound to get better results when it answers a need for the employees and not just one for the organization.