To Ensure Security Education Success: Think Like a Marketer

Peter has rolled out a security education program at his company, and things haven't been going as well as he'd hoped. After a long battle, he cleared the first hurdle and won approval from the CEO to get a training program underway. He worked it into his security budget with some creative rearranging. Then human resources put up resistance. A number of employees didn’t see the benefits of the program, and had been grousing in the lunchroom about it being a waste of time. But when a phishing attack exposed some company data, the CEO got involved and it was time to move the program forward.

Peter may be very good in his role as chief information security officer (CISO), and truly understands how critical security education is to his company's future. His shortcoming, however, is that he didn't put on his marketing hat and wear it throughout the process of implementing the education program. Since all of his buy-ins have come with a fight, he's the only one who is 100 percent invested in the process.

Peter has learned a valuable lesson: Today's CSOs need to borrow a page or two from the marketing handbook, using tried-and-true marketing tactics and principles to ensure the end-to-end success of their security training program. How can other security professionals kick their programs off on the right foot, assuring acceptance and creating other champions through every stage of the process?

Security Education Has Never Been More Critical

One in every 392 emails sent contains a phishing attack, according to 2014 Internet Security Threat Report from Symantec. Think about how many emails your company receives each day or week, and chances are one or more was an attempt to breach your company's security perimeter. On top of that, Symantec reports that more than 552 million identities were exposed via breaches in 2013. Selling the importance of a security education program to management has never been more critical for HR and employees.

Getting started isn't difficult; just put yourself in the end user's shoes. Understanding not only your goals, but also how to best meet the needs of employees—needs they oftentimes don't even know they have—is critical.

Let's take a look at how some basic marketing tactics can be used in a security education environment:

Start at the Top

You need to create security champions within your company, so why not start with the senior management? Much like you would put time into a marketing plan for management to approve, do the same for security education. Create a short but impactful plan that clearly outlines the organizational risk without security education, achievable goals for reducing risk, the cost involved, and why the cost justifies the program. Leverage statistics from reputable sources about the impact of attacks, and use examples from your own company, if applicable, to illustrate your point. Anticipate tough questions and be prepared with appropriate responses.

Create a Campaign, Not an Event

Security education is not a one-time event, even for employees who "pass" the first round of training. Going in, employees should know there will be regular instruction and drills, and be reminded of the importance of security education frequently in emails, newsletters and posters in common areas. Creativity counts; employees will be much more likely to accept a program that handles the serious topic of security education in an interesting and highly educational manner.

Therefore, consider creating a program logo or using a mascot to introduce the program. For example, think how well the Smokey the Bear campaign worked for the US Forest Service in raising awareness for the prevention of forest fires. When Bill the Security Bulldog speaks, you just might get people's attention more so than another memo from the security team. 

Set the Tone

As you can see from the point above, there might be value in a more lighthearted approach, as long as the overall messaging underscores the desired action—a change in employees' behavior. What is the tone of the program and messaging you'll be sending employees at your company? Is it informative? Preventative? Fear-driven? Setting the proper tone at the beginning and carrying that through your campaign is important.

Set the Hook

What's in it for them? One often overlooked facet of security education in the workplace is that concepts learned are directly applicable to an employee's personal life as well. For example, if you educate an employee on recognizing a phishing attack in his or her work email or show that individual how to spot bad URLs, that translates directly to personal habits as well. Teaching employees how to protect the physical security of their workplace, such as not giving admittance to an unknown or unscheduled service person, also gives them knowledge they can use at home.

Reward and Remind

People love free stuff, even something as simple as a pen. Your rewards for different levels of training should be direct reminders of your program, such as mouse pads or pens—items employees use every day. One of our customers was really clever; giving employees a program-branded sticky note to put over their webcam so that if it was maliciously activated it couldn’t capture anything. Companies will also want to consider that lauding employees when they don't fall for a scam reinforces positive behavior by stating: "Hey everyone, Cindy thwarted a phishing attack today!" Executives can then give Cindy a ribbon or a coupon for a cup of coffee in the building cafeteria, a move which goes a long way in validating your program.

Measure Results

Just like a marketer would measure open rates, click-throughs and conversions to measure the success of campaigns, CISOs need to know if they are making an impact. Being able to assess the change in test scores for individuals and groups before and after each training can help you give you concrete results that prove the success of your campaign. The ultimate measurement, however, is the reduction of adverse events.

CISOs that put on a marketing hat throughout their security education program not only see easier acceptance and stronger results, but also never run out of things to talk about—whether in a management meeting, the hallway or the elevator. They are seeing success and are always selling the program, which in turn generates further acceptance and even better results.