October is Cybersecurity Awareness Month. Whether you’re a partner having the security conversation with your customers or you’re seeking out ways to improve or upgrade the security technology of your own organization, Cybersecurity Awareness Month can be a great place to start. We know cybersecurity is important. We also know that for an organization to have a truly successful cybersecurity strategy, they need full organizational buy-in, but what does cybersecurity awareness actually mean? WHY is it important?
Bridging the Gap Between Cybersecurity Awareness and Impact
The answer to the questions I posed above is that we have a huge gap in cybersecurity messaging and incentives. Too often, the discussion goes like this:
Company – “It’s Cybersecurity Awareness Month!”
Employee – “Great! What does that mean?”
Company – “Ummm…be aware of cyber so…don’t click on links?”
Employee – “Cool. I won’t click on stuff. Also, what does cybersecurity mean to me?”
Company – says something about passwords.
Employee – “So the messaging hasn’t changed in 15 years?”
Company – “Yeah, pretty much.”
We see this problem all the time: companies don’t incentivize their teams to understand and address the cybersecurity problem for the organization throughout the entire year. Then, they task them to develop content for Cybersecurity Awareness Month or pass a simple test that doesn’t actually educate or inform them on important cybersecurity updates or best practices. The organization’s Marketing and Training teams may be able to create content they can provide to the employees of their organization, but they often lack the context, understanding, or manageable goals to have the full and intended impact. This is like asking a surgeon to encourage people to take their vitamins by explaining how cellular respiration works. The messaging doesn’t move the needle. Instead, it often falls flat because the alignment and awareness simply aren’t there.
Let me be clear: this is not a jab at Training and Marketing teams. They’re working to keep up with the other important content that must be presented in traditional spaces, with tried-and-true messaging framework, while attempting to also fit cybersecurity awareness into communications that don’t feel connected. That’s why it’s so necessary for every member of an organization to participate in cybersecurity awareness through the lens of their own journey.
If you’re a Trusted Advisor guiding your customers to develop a successful security strategy, this is what you must impart on them as you lead those conversations.
Achieving True Impact Through Cybersecurity Awareness Month
Here’s what I DO believe works. First, companies DO still need to message good cyber hygiene. This means encouraging employees to use complex passwords and multi-factor authentication, avoid strange or unfamiliar links, and regularly update software. However, those aspects are just one narrow part of a much broader message that actually does move the needle. It’s a fundamental part of storytelling: The Hero’s Journey.
You are the hero in your own story. More accurately, you are the hero in your own (and your organization’s!) cybersecurity journey. When you seek out and apply what you’ve learned to your own behavior or routines at work, you are embarking on a journey to help your organization protect itself and its employees from potential security threats.
Having the Security Conversation
Here’s something I love watching when I train people in security. While the technology has changed and evolved, I’ve had similar conversations for 20 years while working in the security space. I LOVE getting to the point in the conversation where people start thinking like an adversary, and as a Trusted Advisor, this should be one of your main goals as you lead security conversations with customers. You get to see the lightbulb turn on. They put their hands on their head and lean back, their eyes go wide, and their mind expands. They can suddenly see flaws in the systems around them. It’s one of my favorite conversations. There are so many routes to unlock fast and impacting cyber enlightenment. However, all of those routes are fundamentally rooted in making each audience member the hero in their own journey.
We even have a phrase for it: “Let me put my black hat on.”
Let me think like an attacker and walk a mile in their shoes. Now, let me see where the security threats they pose can have a negative impact on my own work – marketing, human resources, finance, sales, and of course, IT. Every person in a successful organization has a part to play in the ongoing work to protect their business. Having cybersecurity awareness is the start. Connecting that awareness to impact and taking action to carry out the steps that keep harmful security threats away from your organization is the true goal.
All we have to do as storytellers is get the audience to think like a cybersecurity hero in their own story. Get them to walk a mile in the attacker’s shoes. Don’t focus on passwords. Focus on the audience member’s identity. Get them to put their black hat on. Get them to walk a mile in a hacker’s shoes.
That’s powerful cybersecurity awareness, and that’s why it’s so important.
Check out the next part in my four-part series on Cybersecurity Awareness Month and keep an eye out for the final posts in the series as well! I’ll dive deeper into what it means for an organization and how to achieve a true impact in a company’s security strategy and protection this month!