Security awareness is one of the most important steps to building a culture of security in an organization. However, finding the right approach to engage employees in security awareness programs is one of the biggest challenges for organizations and has been the primary topic discussed by security experts at major conferences around the world.
Following the significant increase in ransomware and phishing attacks in 2021, 46% of organizations globally are prioritizing their investment in security awareness training in 2022.
In addition, annual security awareness reports show that low security awareness among employees is the main barrier to organizations adopting strong protective measures. Therefore, awareness programs play a significant role in reducing risks and vulnerabilities.
But what is the missing link that companies are looking for to make a security program effective and get employees more engaged?
VigiTrust CEO Mathieu Gorge explores the gaps and issues, as well as the pathways to an effective security program in an insightful interview with Ava Woods-Fleegal, Global Security Awareness Leader at Raytheon Technologies.
Compliance – Are We Going In the Right Direction?
It is no secret that human risk is the biggest threat in an organization, and to counteract it, it is critical that organizations maintain an effective security awareness program.
Ava mentions that one of the biggest challenges with focusing on compliance is that technical controls are prioritized over human controls and reducing human risk: “I worry that not enough attention is given to enabling people to work securely, be resilient against attacks, or to report in the case of an incident.”
Assuming that technology does not cover all threat risks, a failure to prioritize security awareness means you’re building a security culture on a weak foundation. Even if acknowledging this as a red flag is a sign of a change in thinking, the security awareness process can be a difficult undertaking for companies.
Key Actions for Security Awareness Success
To return to a point already made: An organization that has a successful security awareness program also has strong human risk management. The big question here, however, is: how can it be done?
Ava explained that training to increase people’s resilience needs to be compelling, engaging, and memorable. “We need to talk about how we can be more effective and what points we really need to address,” she explained. Ava highlighted key actions that contribute to the success of an awareness program, such as:
- Incorporating behavioral science and learning theory approaches in building a security awareness program, including the adoption of “tiny habits” to achieve behavior change
- The use of interactive tools such as quizzes and games to stimulate information retention
- Ensuring curricula and activities are designed for a diverse employee base
Training Boards and C-Levels
A cultural shift must occur at the executive leadership level. However, those responsible for security often find it difficult to communicate the organization’s risk scenario to the board and C-suite.
To change the board’s understanding and engagement, you need to think critically about how you are going to do it. How will you give them the information? What approach will you take to communicate and present the risks? How can you best get your message across? How can you enable them to support you?
So, to change their behavior, you have to consider them as another critical stakeholder audience alongside the others you plan for in your efforts.
Wrapping Up
A security awareness program helps employees mitigate risks and threats and weaves security into company culture. Consider 3 parting words of advice:
- Promote security awareness and culture at all levels of the organization.
- Focus on behaviours and change management aspects of security awareness and training to manage human risk.
- Demystify security—simplify it for your employees.
Source: https://www.forbes.com/sites/forbesbooksauthors/2022/10/26/upping-security-awareness-programs/