You know your security awareness program exists but does anyone else? Do business leaders understand the business value your program provides to the company?
In this live stream for the Security Awareness Community Ava Woods-Fleegal brings her expertise from working as a security awareness leader across industries including defense, tech, finance in companies ranging from 5,000-200K globally. Ava is a security awareness professional who is experienced in developing and scaling positive awareness training programs to help drive behavior change and nurture a strong security culture mindset. In companies so large it can be easy for a program to get lost. Ava comes to talk us through how to communicate the value of your security awareness program to elevate the impact your program has on the business as a whole.
The commonality across all these different types of companies is that we have folks who are doing one thing and we want them to do something different - there's that change management component. And so it's one of my biggest missions to find the best, most effective methods and how we make that journey and push that transformation.
Effective communication takes more than simply speaking a common language. Perception plays a major role in how information is translated and valued so how do we overcome the challenges inherent in communicating the value of our programs? Ava 3 areas that she views as hurdles to overcome:
1. Being seen as the 'entertainment crew'. The first thing is we're always seen as an entertainment crew - "Here are the awareness folks, they have funny content, they have funny videos." And when we're in that light of being the entertainment crew, it's hard to tie to the substance, the impact that we're making, and really the value that we're creating for the company.So what are the key indicators to measure for demonstrating success of our security awareness efforts?
Ava emphasized one of the main indicators to track for showing the impact of your program is looking at behavior change metrics. The easiest one to track is a reduction in click rates on phishing emails. Another area to look at are incidents, such as policy violations, and see if there has been a decrease there as well. When doing walk-throughs you have metrics on how many employees are leaving their computers unlocked or how often people allow piggy-backing into the building.
But there are also metrics of positive initiatives that also support the impact on the business and security culture such as employees proactively requesting particular training or resources for staying safe online. "The storytelling element is very important and helps with that emotional connection for the buy-in that we need to further our programs."
Additionally, utilizing reporting requirements or fines can be another venue to help communicate impact. For instance, highlighting when you avoided a fine for X amount because of the positive behavior change from the program - or alternatively comparing past fines incurred that are no longer happening thanks to the investment in the security awareness efforts.
However, Ava cautions professionals against just providing numbers without the context of the bigger story around the data you're spotlighting. Because for the executive or the board, that number may be a drop in the bucket to them unless you help them understand the bigger picture.
We have to go above and beyond just providing metrics. We want to go beyond that and show the tremendous impact we're having on the organization.
You want to be able to help the decision-makers understand why your program needs investment so that you can continue to further the company along - help them see that good security awareness and a strong security culture don't just boost your 'area of expertise' but rather lifts up the company overall as a whole in its business goals.
One important success indicator for yourself as a manager that Ava used for herself when she was just starting out for the security awareness program is if your program earns a spot on a report for the executive leadership or in their conversations. Is your program viewed as valuable enough to talk about at the leadership level? That is a great bar to aim for.
Understand the value of your people. Understand the people who are part of your program and then create a program heartbeat that everyone hears.
Think about the people it takes to build your program. You need folks who are good at communicating; folks who understand behavior, and change management, and people who understand how best to educate adults. These key skill competencies are the gems of your team and they can be either your direct team or your functional team that you work with for the program.
Understand your sphere of influence. Ava encourages security awareness program managers to consider the impact your program has on others in the organization. Consider further how it impacts the company's stock? What is the impact on some of the most key fundamental parts of the business, like learning?
"If there are things that you're trying to achieve within your security training program that are dependent upon a strong corporate learning strategy, then make sure that you're part of that conversation where you're saying, hey, we have these needs and they are aligned very similar to the organization...what can we do for you to help move the needle in terms of a strong corporate learning strategy?"
Ava emphasized that really digging deep to understand all the players involved and being actively involved in aligning with the company mission and focus along with the key players will definitely help demonstrate the value of your program.
Create a 'program heartbeat' that everyone hears. The active involvement in making sure your program is aligned with the company mission and the regular engagement with key stakeholders is the start for creating 'buzz' - or as Ava puts it, a heartbeat - around your efforts. As you go about considering the sphere of influence, the goals and objectives, look for ways to generate communications about your program.
As Ava states, "Plans get buy-in early. You want to make sure that everybody knows about the plan. That's not just leaders, but that's employees, too."
If people can't hear the heartbeat of your program, do they know it's alive and will they continue to fund it?
Take, for example, your annual plan for security awareness. List out the topics for the year, highlight the key risks that will be covered, and the areas the company needs to focus on, and make that information available to all employees.
Ava recommends having a dedicated channel for all of that information where updates can be provided as to what's been done and with whom. Not only should it go to employees but there should also be a reporting mechanism in place to middle management to help amplify the activities of your program.
We don't put ourselves out there enough, we kind of get hidden - yeah, we've got a 95% completion rate for training. Yes, we have a champions program and those folks are really happy about it - but just those folks, right? Like they're the ones who know about it because they're in the program. But where else are you able to shine the light to say "Hey, here's what we're doing, and here's how we're also impacting the organization."
Pitfalls to Avoid
Forgetting the 'Why' - It can be easy to get sidetracked into just being viewed as the team who carries out training or does comms - Ava stresses the importance of remembering why we are enabling people and that we need to be employee user-centric.
The question she encourages security awareness professionals to keep front and center in helping remember 'the why' is "How are we making sure that employees are working security and engaging securely?". And it's your job as the lead for the program to be the champion of that messaging through meetings and conversations - asking for feedback, ensuring alignment and clear communication.
Missing or Faulty Feedback Loops - Just as marketers cannot create messaging that resonates with their audience if they don't speak to them or provide a channel for feedback on what worked and what doesn't make sense, so, too, do security teams need to ensure they have a working channel for feedback and input from the employees they are trying to educate and encourage behavior change.
Ava's Points To Remember
Remember your value. If you're not sure what that value is, take time to think about all of your touchpoints, all of the things that are going to enable you to be successful that are shared with other groups as well. Those are the folks that you want to engage with or engage with. That's where you want to spend just a little bit more time.
Learn the art of storytelling. It's so important to be able to say, yes, here's the information here's explained by the data, but here's the magic behind it, what it means for you, what it
means we need to do next, right? It's so important to be able to tell that story
Really understand what your program's reach and impact do. You have all of these amazing, what I call unicorn qualities and you really need to embrace that and make sure that you're being loud and proud about it and what you're putting out there.
You are end-user training.
You are security training.
You are coordinating technical training.
You are communications.
You're a marketing expert.
Really embrace that and just think, 'how else can I tap into the company?'; and really start rising up and showing the value that can be provided right through your program.
---
Connect and learn more from Ava Woods-Fleegal, MBA, SSAP, Prosci, CISSP
Building A Winning Security Awareness Program
Building A Healthy Cybersecurity Culture
Creating Impactful Videos for Security Awareness Training
Security Awareness Training Highlights PDF