Just because it’s the start of February it doesn’t mean it’s too late to make a resolution, especially one as important as focusing on your security awareness and training (SAT) program. In order to do great things with your SAT program, you have to change hearts, minds, and behavior patterns rather than checking the same old boxes.
If you are like most organizations, you want to do what’s right for your organization and generate positive results, but you may now exactly know how you are going to make it happen.
To begin the process of creating a solid plan and foundation that will enable you to achieve a game changing level of security awareness and behavior transformation, you have to take the time to learn what different shareholders in your organization think about security.
Get SMARTER about what ‘good’ looks like for your organization
A critical step is implementing a framework to help ensure that you are approaching things in a structured manner, rather than simply making it up as you go. Especially in large global organizations, I recommend conducting a series of interviews or quick surveys to understand how different divisions and divisional leaders view security, understand policy and best practices, and what they truly hold important.
It is always interesting to see the differences and similarities that this process can help uncover. It also helps you understand if your key executives are in alignment and if there are some political or logistical hurdles that you need to work through as you build your plan.
With this background knowledge, you can begin to create your goals for the year. For this, I like the SMARTER goal setting framework proposed by several productivity gurus. There are a few different versions of the SMARTER framework; for our purposes here, I’m using the Michael Hyatt version. SMARTER framework goals, in the context of a security awareness program, are comprised of the following:
Specific enough to focus and direct your efforts. What exactly are you hoping to achieve in the next year? Think about this both in terms of content delivery, behavior change, and any other goals that you can refine enough to be specific about.
Measurable so you can keep track of progress and identify gaps. Identify beforehand what you are going to measure. Number of campaigns; course completion percentages; average test scores by department; Phish-prone percentage change over time; number of special onsite training events, such as table-top exercises; number of self-reported suspected security issues; number of reported suspected phishing emails v. the number of accurately reported phishing emails and known unreported phishing emails; and the list goes on. The point is to find measurable attributes/outcomes of your security awareness program that are relevant to your organization, the change you are trying to drive, and the story that you want to tell.
Actionable with a clear initiating verb that prompts specific activity. Your security awareness program will likely have several goals attached to it. Each outcome should be clearly stated with an action verb. Here’s an example: “Reduce our overall Phish-prone percentage from 22% to 2% by December 2018.” And another example, “Build our security awareness dashboard and deliver agreed-upon metrics by the end of Q1, 2018.”
Risky enough to leverage our natural tendency to rise to challenges. Ask yourself where you can afford to be risky here. What’s your goal for reducing your organization’s susceptibility to social engineering attacks? Go ahead, take a risk and be aggressive in your estimate! Doing so will force you (and any in the approval chain for your program) to adopt a best practice of frequent phishing and social engineering tests so that your employees are appropriately conditioned not to click on phishing links. Or maybe your risky goal is to take your program global for the first time? If so, stating your goal will force you to work with other areas of your organization to ensure that you have the best chance for success as you implement your program in each region.
Time-keyed so you’re prompted exactly when to act. This is self-explanatory. Unless you’ve committed to a specific timeframe, you may be likely to just see your goal as vague. Once you have a date attached to it, you have much more incentive to work to meet the date. That forces you to work backwards from the target date and breakdown the goal into manageable/defined chunks.
Exciting enough to inspire and harness the power of your intrinsic motivation. This is all about moving you from a ‘check the box’ mentality and into a crusader mindset. Think about why each aspect of your program is important. How does it improve the overall organization? Getting in touch with the underlying ‘why’ behind each aspect can help fuel your excitement and will keep you energized throughout the year as you ride the waves of both success and frustration.
Relevant within the overall context of your organization and people. I’ll keep this simple: Don’t make security an abstract concept. If you are training about things that aren’t relevant to your organization or people, they will disregard and forget the content. Make it real, make it relatable, and make it relevant. This will likely mean that you use different messaging and tactics across different departments, regions, or age groups. Go ahead and embrace it – it’s worked in the marketing world for quite a while now and it can work for you as well.
With this SMARTER framework designed with SAT in mind, are you ready are you ready to make 2018 a break-out year for your security awareness program?