Ah, raising awareness. Well raising awareness properly, and by that I don’t mean doing some rudimentary tick box waste of time and energy.
Where to start. Well, I’d advise you to think of it like marketing, because that is what it is! You’re trying to sell ideas; you’re trying to build engagement; you’re trying to deliver nudge actions; you’re trying to grow the consumer base; you’re trying to run campaigns. It is all marketing 101.
It is marketing, because, let’s face it, who the hell actually wants to do security training? That said, you might not have a great deal of experience in marketing.
So, here’s an idea. Why not engage your marketing team to understand how best to go about these aspects that are largely alien to you and a specialism for them? You have the skills available to you if you only just look. You want to build, ideally, a campaign. Can you guess what they do? That’s right. Campaigns. Marketing campaigns.
A classic move, that I’ve seen time and time again, is for security people to write some awareness material and just send it. Scattergun to an unsuspecting audience, with little to no thought about actual engagement methods.
If this is you, then good luck to you. I’d wager you might not be as effective as ideally, you’d want to be, but maybe you’ll get lucky and your words and pictures will be music to the ears of your super engaged audience.
One thing to consider is that not everybody likes the same things. I know this is hardly earth shattering news, but it is important. You see, because people don’t all like the same things, then a one size fits all model is not likely to work for everyone. The same applies to peoples’ learning styles and preferences. And this includes language as well as delivery medium or method. And that is the case even before you factor in geographic considerations. You could turn a portion of your audience off before you’ve even started, whilst remaining blissfully unaware of the fact.
So, consider building different versions of the same ‘message’. Or rather, working with people who are very good at producing such variable content. Again, these people are quite probably already available within your organisation. Communications teams and those lovely marketing people again do this stuff for a living. They tend to be quite good at it. Certainly, better than security folk who often have trouble communicating in a common language at the best of times.
While thinking about variants, or versions of the same, consider A/B testing. For simplicity purposes, test two versions of the same thing to measure audience engagement and performance. Poll the recipients for feedback. Talk to them. Delve into their wants. Keep that mental focus on marketing and in this aspect, market research. Your market is your consumer. The consumer of your awareness activities. Everyone in the business(es). What works best for who….this time.
By performing market research, you also show a willingness to engage, listen and provide content and methods that works for the people you want to actually engage with, whilst recognising and celebrating their differences. Adapting your style and content to fit them. Plus, it brings them into the engagement cycle from the off.
Consider running pilot sessions with a, or some, user engagement group(s). Find what the audience feedback is and adapt the content, medium, delivery method et al from there. This is live testing of your programme, rather than just going organisation wide without understanding in any way what might or might not work.
Think of a stand-up comic testing new material before embarking on a tour, or test screening of films before premiering. Each allows for changes to align with the audience feedback. This kind of activity has been going on for years, so why not apply it to security awareness? The principles are exactly the same. Allowing you to adapt to the audience, not them to you.
Oh, and by engaging with all of these people to be a part of your awareness activities you are building relationships, and actually already raising awareness with some of your consumer base. They might, for example, have a vague idea who the hell you are. These same people are also more likely to champion you and the work if they’ve been a part in its founding. It is their work too.
Or, just send out a newsletter for a few weeks, until your material dries up, throw in a couple of PowerPoint marathons (other execution methods are available), one group session and just sit back and relax safe in the knowledge that you’ve achieved the square root of…..well, very little.
Some of this will be very alien and probably uncomfortable for you, but the effort is worth it. Utilise the expertise available to you.
Market your security awareness.