This is the second installment of a three-part blog series where we cover topics from our Wisdom 2023 sessions. In each blog, we explore creative techniques for inspiring engagement in security awareness and building a strong security culture. In the first article, we covered how to personalize and invigorate your curriculum for your users using threat intelligence.
Every October, security professionals use Cybersecurity Awareness Month to promote best practices and the shared responsibility for behaving safely. But to stay safe, you have to stay vigilant. And that requires people to constantly be engaged. So in our second Wisdom session, we explored ways to inspire engagement in security awareness for both users and practitioners.
Typically, when we’re talking about engagement, we mean end users—and we all know how challenging it is to keep them engaged. In our 2023 State of the Phish Report, for instance, over 30% said security isn’t priority at work for them. That’s why in this session we discussed three ways to motivate and inspire your employees.
We also addressed a group of people who are typically overlooked—security awareness practitioners! When you push yourself to find enthusiasm in security awareness, your attitude can have a cascading effect on how your employees engage. So we also covered three ways to find inspiration.
This article recaps the insights we gained in conversation with Janet Roberts, former SVP/global head of security education and awareness at Zurich Insurance Company, and Brian Roberts (no relation), solution manager of information security awareness for Campbell’s Soup Company. (Quotes have been lightly edited for clarity.)
3 impactful ways to engage employees
If you’re looking for creative ways to motivate and inspire your employees, Janet Roberts and Brian Roberts have some tips:
1: Build and nurture an ambassador program
At Zurich, Janet launched an ambassador program that is now used by 32 of the company’s teams around the globe. Every month, her security awareness team creates a toolkit to distribute “grass roots,” always covering one simple topic that is customizable to the ambassadors’ culture, language and policies. Zurich has five regional CISOs and a global CISO, each of whom decide the strategy for delivering this material within their region. in their region.
When it comes to measuring program outcomes, metrics will most likely be qualitative not quantitative because when it’s done right it will be highly tailored to people and places. According to Janet, “[An ambassador] program helps you to meet people where they go for their daily information. Make sure you map it to the structure of your company…and [make sure] your ambassadors are working within their regional strategy or country strategy.”
Brian agreed the ambassador program should target a local audience. At Campbell’s, his security awareness team reaches both inside and outside the organization to cultivate a group of volunteers. Brian’s advice is to start small, create a volunteer pathway, and build each relationship as you scale up. “The more you make that personal, the more you drive an organization that will create change. When you see ambassadors sharing stuff they did in their communities and at home, that’s when you know it’s connecting.”
When asked by attendees during the Q&A about how to get those first volunteers, Brian said, “Be very open so people feel you’re approachable and they can bring personal stories to you. That’s where you find that first pool of people that you can then send out to find more people.” Janet added that at Zurich, “We started with people whose job was to lower the human risk factor, like security officers and service executives. From there, they added their own connections and built their teams.”
2: Create a people-focused messaging strategy
In this part of the session, our panelists shared ideas about how to build effective messaging and tailor the content so that everyone can understand it.
Brian suggested keeping your messaging simple so that people can grab onto it. Don’t give them too much to read, and stagger and vary the content. It’s important to have an outsider perspective for everything that you do, even when campaigns are focused on a specific role or area. He quipped, “Don’t use a monolithic approach, because people are not monolithic—be as diverse as your workforce.”
Brian also talked about creating a simple personal theme for campaigns. “Always tie [your campaigns] to a more transcendent quality that is rooted to whatever slogan or mission you come up with.” For instance, his tagline ‘Protecting Communities, Protecting Campbell’s’ plays on the concept that we’re only as safe as our surrounding community.
Janet shared her philosophy of making everything bespoke. Think globally but act locally for each language and culture. “You don’t want to sound stiff and corporate. Always think about making your messaging specific to every person, even if there are 100k people in different countries.” Using American slang in English writing, for example, might not be translatable.
Janet tied the messaging strategy back to ambassadors. “Locally you have the ambassadors to deliver that message in the right way. They’re part of your messaging strategy, and the more excited they are, the more you enable them to speak in a way the employees will respond. It’s really connected.”
3: Design meaningful and impactful campaigns
While creativity and personalization are important, Brian and Janet also quoted industry icon Lance Spitzer to make the point that security awareness is education, not entertainment.
If employees play a security-related game or read a meme, Janet feels this experience should have an actionable item. For instance, she asked the red team at Zurich to build a password cracker for Global Password Day. When a user entered a password, it told them how long it would take to crack—one minute! three centuries! This tool was part of a successful campaign that gamified learning in a memorable way.
Janet said, “Things that are entertaining or lighter should hook the employee in. Then the education should be something they can retain and act on.” Brian agreed, “Flashy marketing is great, but ask yourself whether people are engaging with what we create. What’s the core, the nugget, the kernel that I want them to take away?”
The panelists also talked about the impact of an incentive program that’s tied to awareness campaigns. At Campbell’s they have tiered incentives, dubbed challenge coins, that reward people for reporting emails. Rewards are scaled depending on whether the email is legitimate or spam. Alternately, Zurich finds employee recognition and validation to be highly effective. Every year, they hand out achievement badges for email signatures that lets employees stand out.
3 exceptional ways to engage security practitioners
In the second part of the Wisdom session, Janet and Brian gave advice about being a strong practitioner by looking inside yourself and beyond yourself to keep yourself engaged.
1: Bring your strengths and experience to the program
Brian talked about focusing on the volunteers. Find out their skills and talents so they can feel involved and recognized by doing something they enjoy. This can help you gather energy and support. “Make sure everyone has the ability to contribute and shine in their own way. And reward that activism in whatever way it comes.” For instance, if people like taking photos on their phones, ask them to make picture collages of the year’s events for Cybersecurity Awareness Month.
Janet talked about focusing on your skill sets. Think about what you’re good at because that helps your program and ultimately your career. Don’t jump in because it’s a hot profession or you want a certain job title. “Those things will come with you being the right fit for what you’re doing, making your work stretch across the whole program.” Evaluate your own strengths and how you can apply them to security awareness training. For instance, you’re a great relationship builder, or you’re creative, or you like variety and change.
2: Do everything in partnership
Janet and Brian were enthusiastic about being closely connected to the cyber team. Position your security awareness team as part of the threat landscape and the group that handles human risk management. With regular discussions, the cyber team will respect what you’re doing and regularly share what they see in the wild.
Janet explained her view of being part of a bigger mission. “The cyber team is the feeder stream for the risks that the employees see. That lets you brainstorm something interesting or creative or immediate. And then you can work it in a longer range.” Many campaigns at Zurich came from Janet’s collaboration with the threat intelligence team for bite-sized topics, or the red team for tools like a password cracker.
Brian shared his approach of using messaging to create collaboration. “You can demonstrate that security awareness as a force for marketing by promoting the contributions of every pillar and area of information security.” Teams like incident response and identity and access management will realize that you’re their marketing champion for the causes they’re concerned about and so they’ll come to you with topics that will make your program more successful.
3: Open yourself to change
The panel ended on a playful note as Janet and Brian discussed the topic of embracing change as a security awareness professional.
Janet said that she thrives on change. “It’s a very gray area. Why? Because you’re not working with a tool, you’re working with human beings.” Employees change their mind and decide whether to pay attention, and campaign plans need to stop or pivot when the cyber team reports a threat in the wild. Janet’s advice is that security awareness is a good fit if you like the new and different and are comfortable with constant shifting. If you’re a linear thinker who sees change as disruptive, however, consider where your skills might be a better fit.
Brian said that for him, the key term is adaptability. If you’re leading your company’s security awareness and culture, everything changes: messages, topics, priorities. “You’re going to be on your toes all the time. You will have monkey wrenches thrown into everything you’re doing and your calendar is really a continuously evolving thing.”
Wisdom after-hours: Bonus takeaways
After our information-packed Wisdom session, I caught up with Brian and Janet to get their final tips to help our attendees push themselves and their security awareness program forward.
Janet’s tips:
- Focus on work you enjoy or have talent for, and approach it with the goal of adding value to the company. You’ll both succeed and love your job.
- Build trusted relationships and strong networks to create things you’re proud of. Don’t be the ‘always right’ person—to quote the Beatles, you ‘get by with a little help from your friends.’
- There’s a difference between entertainment and education. Your program strategy is to lower human risk. And part of that strategy is sprinkling in fun but not being driven by it.
Brian’s tips:
- Make your mission transcendent and personal. The more you can hyper-personalize and make people feel they’re contributing, the more they latch on and take it to the next level.
- Have a voluntary path and reward activism. If you consider cybersecurity as a grassroots movement, it’s an essential cause because it involves all of us and our loved ones.
- Maintain consistent branding and broadcast it. Speak in a language that everyone can understand, even when communications and campaigns are focused on a specific audience.
Conclusion
Want to learn more from Janet Roberts and Brian Roberts? Watch the full replay of this Wisdom session, “Keep Eyes on Security: How to Keep Your Users Engaged.” You’ll hear the extended explanations of these topics, a robust Q&A segment, and their concepts of ‘grassroots’ as a building block of security awareness.
Stay tuned for the final article of our Wisdom retrospective series, “Beyond the Status Quo, Part 3: How to Reduce Human Risk by Changing Users’ Mindsets and Behaviors.”