There are many company workforces working from home where employees do not have regular contact with their peers and security staff. Not unsurprisingly, technology is seen as a ’silver bullet’ and there is a myriad of software providers offering tools to solve a security team’s SE&A needs. These tools have their place, but effective education to achieve change needs to be grounded in key points that people can relate to with impacts brought to life. Furthermore, the need to meet an audit requirement should not be confused with effective SE&A.
‘Click based’ online training has its place. It is structured, automated, and measurable allowing security teams to distribute key security messages quickly and efficiently, as well as provide evidence to auditors. So, it makes sense to use it. However CSOs need to consider other factors too. For example, how to address direct face-to-face (f-2-f) interaction, provide a ‘humane’ face of security that is not aloof, and how to target security messages appropriately so that there is effective security engagement at all levels of an organisation. The importance of f-2-f cannot be underestimated, a combination of online training and the impact of the pandemic makes f-2-f training less likely and compounds the problem of effective messaging.
Security is fundamentally a human condition. Industry veteran and author Bruce Schneier, talks about “feeling secure when you’re not, and feeling unsecure when you are”. Automated, screen based training can’t draw out some of the finer messaging that is required to change people’s behaviours.
As a CSO I used to introduce our new staff security induction training and stay around to talk through scenarios, precisely to encourage discussion and engagement with new employees and make the team, from the very top, ‘approachable’. This allowed me to make a direct, personal connection between the individual and their own security that, by association extends to the security of the company. Discussing f-2-f, the connection between identification on social media, through Open Source Intelligence, and how this introduces unnecessary risk to the individual and Company through targeted attacks such as phishing has real impact. A software based approach to learning when talking about the implications of social media isn’t able to capture these personalised nuances.
If the only time staff interact with the security team is when there is a security incident, there is a real risk that the security team is seen as the ‘portents of doom’! Engaging with staff directly and making yourself approachable is critical to successful security management. This can be done on-line and given the media commentary of a growing sense of individual isolation of workforce staff the security team have the opportunity to not only show a human face of security, but also help the wider business tackle staff isolation. To do this security staff should consider the following:
- Scheduling – Don’t schedule training in the core business hours for meetings, these will change from business to business but consider between 9.30am to 3.30 pm.
- Start/End Time – For many the working day has extended into what would be commuting time, and because staff don’t have to travel between meetings, calls tend to be back-to-back. Plan for this. Start the meeting 5 minutes after the hour (or half hour) start and end 5 minutes for the hour (or half) stop.
- Content – Make the content relevant to remote working to reinforce key message and create/build into the training the opportunity to discuss scenarios so that the audience is actively engaged.
- Accept this is a different office environment – Let people know it is ok to go for a break, and build a break into the training to encourage staff to get up and stretch.
- Faces are fun – Finally, turn your video-on, interact with staff and make it ‘human’. Talking to a set of slides, down a phone-line, without feedback is not an enjoyable experience and will quickly turn your listeners off.
A final point on engagement is making SE&A appropriate to different business audiences. It feels obvious but is often forgotten that the security message needs to be tailored to the audience. I learnt early in my career that messaging to senior management was about helping them understand how they could help maintain effective security; priming them with security questions to ask their staff; or highlighting behaviour they should be aware of that might reduce security effectiveness.
The message to middle management was about how security could help them undertake their roles more effectively; ask managers not to assume that the answer to a security issue is ‘no' and impress on them that we want to help them so that they, and their staff do not try their own workarounds. Finally, to new or junior staff it was a more direct message; that these are the ‘rules’ and, more importantly, this is why they must be applied.
The result of losing the human input to security training is that it loses its impact. If staff only have to think “I’ve got 30 minutes to click my way through this presentation”, then they are not fully-engaged, and the training will have a limited impact on changing behaviours. Isolated staff, remote from the office, their colleagues, and the kind of security discipline that is automatically enforced by being in an office will become more disconnected from security practice. Reach out remotely, make security engaging in whatever form it is presented, deliberately make time to directly engage staff at all levels and encourage two-way engagement to maintain a more effective security regime.