Security Awareness + Empathy works well
It is often said that humans are the weakest link in the security chain. I believe it is a statement of convenience, bereft of understanding and empathy.
If you are to succeed in building a Cyber Security competent workforce, Cyber Security practitioners must stay away from conveniently positioning the end-user as the weakest link. Especially, if they have not done their bit, with planning and conviction, to build a Cyber Security Competent workforce.
Notice I have used the term “Cyber Security Competent”, not “Cyber Security Aware”. Awareness is the know-how of a topic or a situation. Competence is the ability to implement the know-how or skill.
Are you investing in Cyber Security Competence?
Coming to think of it, organizations have reasonable to significantly high budgets on skills training that is specific to the job the employee performs. Be it coding, sales or using a product, organizations put in hard money to it.
Now, data is important for every business. How much of the training budget is spent on Cyber Security skills training? Not, the mandatory, once in a year security awareness session or course. But, real, intense, Cyber Security skills training.
If you must term your employees as the weakest link, shouldn’t organizations be first spending a reasonable amount from their training budget on actual “Cyber Security Skills” training?
Shouldn’t Cyber Security managers spearhead the initiative to create a Cyber Security competent workforce?
Employees turn up every day to get the job done. Cyber Security helps them along the way. The key is to have the workforce wholeheartedly and positively accept Cyber Security as an essential skill that they are willing to master and practice.
In order to achieve a positive Cyber Security attitude from the end-user, you must establish genuine empathy with their needs and motivations. This begins with a deep and genuine understanding of their job and how they execute their work tasks.
With an empathetic approach, you will avoid;
- Preaching — The “Don’t do this…” kind of Security Awareness communique
- Guilt inducement — The “Did you know X% of hacks happened due to user mistakes” awareness messages
- Harassment — The “you must complete this course to be eligible for a performance review” approaches
With an empathetic approach, you will;
- Try and understand — the employee’s specific job and how Cyber Security can help them do better
- Endeavour to align — You will use language like — “Your team’s data management processes will positively influence our position on GDPR compliance”
- Strive to empathize — You will motivate the employees by communicating positively — “Adopting the new data sharing security practices will help you share information with your team members securely and keep us safe from legal and reputational risks”
Now, can empathetic security awareness content win the end user to your side? Certainly. It takes a bit of human understanding and genuine concern for the work your colleagues do. After all, they were hired to do their jobs, and in all probability, they are doing it quite well.
Just don’t call them the weakest link.