Security Awareness is Dead. Long Live Security Activism!

EditoratLarge

2 years ago

At the end of 2019, I wrote an article “Security Awareness Dies – My 2020 Prediction” where I talk about how the way organisations go about awareness training is not a great return on investment. The core message was that information security professionals should think about awareness differently. We need to take the opportunity that awareness sessions bring us, to engage with the business in a much more positive and productive way. Showing the business how the information security team is a force for good! But whilst it’s all well and good to show the business all the amazing things we do behind the scenes, we also need to turn each person in the business into an information security activist. In this article, we shall look at what an information security activist looks like, why your organisation needs them and how you can build a movement in your organisation.

What on earth is an Information Security Activist?

Now I want you to picture the scene. Your IT department is about to put into production a behemoth core platform that will be the engine room of your organisation. It will automate many unwieldy manual processes. It will however be developed at lightning pace, with no real planning and will have more security holes in it than a piece of swiss cheese! A shadowy group descend upon the basement (where all IT people live) carrying placards and chanting “Stop the System!“. One plucky individual handcuffs themselves to a server rack in the comms room whilst another, superglues themselves to the keyboard of the lead developer. The building security is called and before anyone can say “think of the intern”, tear gas billows. Network engineers and DBAs erupt from the elevator into the entrance atrium coughing and gasping for air with bloodshot eyes. IT nil, activist one!

Whilst the scene described would probably make an interesting episode of the IT Crowd (like the one where the Internet got broken!), we really don’t want that kind of carnage in a real workplace. So, what is an information security activist?

First, let’s look at what makes someone an activist. The dictionary definition of an activist is:

“A person who campaigns

to bring about change”

In a wider societal context, change is usually political or social in nature. In an organisational context, think about an activist ass campaigning to bring about behavioural change. In the more specific context of an information security activist, people who will campaign to drive behaviours that will keep an organisation secure.

Why do we need information security activists?

The longer answer first. Traditional approaches just don’t achieve the behavioural change needed. The current awareness mindset focuses on futile exercises that at best, temporarily modify behaviour. Thirty-minute computer-based training modules that employees click through in less than eight (yes, we do look at the stats!). Phishing exercises with a follow up “re-education” for those who have clicked. Death-by-PowerPoint inductions. Even funny videos (which I do like watching). These approaches miss the point of what awareness is trying to achieve i.e. long term behavioural change because they are deployed as point-in-time exercises. They are rarely deployed with pre-defined success criteria to assess whether any long term behavioural change has actually been achieved.

The shorter answer – information security isn’t omnipotent. We can’t be in all places, all the time. We are the ones that keep the business secure whilst others get on with their jobs. But we can’t keep our organisations secure without support from everyone in the business. To prevent hackers from destroying everything we have worked so hard to create, we need everyone to promote good security practices. From the ground up. organisations need people who will integrate security into their day-to-day lives and encourage others to do the same. From the top-down, organisations need leaders who actively promote the idea of involving information security at the outset and empower their teams with resources and budget. If long term behavioural change is to occur, information security needs to organise an army of activists across the business!

Ok, how are we going to create the activist army?

Picture the scene. Mila Jovovich as Joan of Arc. Mounted on a white charger she shouts “FOLLOW ME!!!” to the ranks of her countrymen. They rally behind her and charge into battle! Ok, maybe not quite that but we can learn a bit from this – not quite historically accurate – 1999 classic.

Understand what motivates

You want your activists to join your movement for change. But why would anyone want to join your movement? People join movements for several reasons but the top three are:

Purpose – a desire to fulfil an objective
Relationships – a desire to be with like-minded people
Self-Interest – a perceived benefit to the individual or their peers

Knowing why someone does something will be incredibly useful in determining how you motivate them to join your movement. To get started, conduct a stakeholder analysis. Take your organisation as a whole and then identify which people fall into which group. Self-interest can be a difficult concept to get your head around if it is framed negatively. Think of it more in the way Adam Smith intended when he described the Invisible Hand in the Wealth of Nations rather than that described in Machiavelli’s The Prince. Once you understand people’s motivations, it’s now time to organise!

Get organised

Once you know how each of your stakeholder groups are motivated, it’s time to get organise your information security movement. This can be achieved in several ways. One way is to create interactive events. Consider hosting a “Keep your kids secure” event whereby you show parents how they can help protect their children from online threats. Organisations like ISC2 (the people behind CISSP) support initiatives like the Center for Cyber Safety and Education who have great resources that you can use. Not only do you help parents keep their kids safe online (purpose), link like-minded parents (relationships), but if you hold a certification from ISC2, you can log CPE for these types of activities too (self-interest). There are countless other examples. Hold a career development workshop for those in your organisation who may be interested in moving into cyber-security. Show them about the work you do and the potential career paths. Show them how they could move into cybersecurity. Run workshops for different teams and show how cybersecurity helps them and how they can help you.

Organising people can also be achieved by finding ways to build upon people’s ability to act independently i.e. help people be secure on their own. If you know teams want to move fast, show them how to start the ball rolling themselves on an information security assessment or third-party due-diligence questionnaire. Be available as a coach, mentor, proofreader. Show people how to interpret policy so they can incorporate requirements into their new products and processes. Empower people to build up their skills. Provide encouragement. Praise publicly as much as you can.

Whilst this is not an exhaustive list, the last one I will discuss is possibly the most important. Consider how you involve people when delivering new concepts. A certain demographic will want to feel like they have been included – so include them. Creating a new policy, get it to 85% complete and ask people to provide their input. It’s a lot harder to block an initiative if you have been heavily invested in its development and you’re wedded to its success. Similarly, ask teams to come up with Data Leakage Prevention (DLP) scenarios in a workshop setting. Get them to whiteboard all the ways they can think of to get information out of the organisation…uploading spreadsheets full of client data to Slack and then downloading them at home you say…!

Measure the impact!

So you have identified and organised your activists. You have created an information security movement and it is sweeping across the organisation like the upsilon variant of coronavirus (I’m sure it’s coming). You’re not quite done yet. You need to ensure your activists don’t become radical fundamentalists. This can be achieved through careful monitoring and measurement. Have in mind what good behaviours look like, monitor those behaviours regularly and take action where things have gone awry!

Final Thought – Keep your activists energised!

You have given them purpose. You have built relationships. You have helped them understand there is something in this information security malarkey for them. Amazing! But remember movements can come and go unless they are continually organised. You want to think more like you’re building a religion than creating the next ice-bucket challenge. To keep this movement going, you must nurture your activists. You must maintain relationships. You must keep seeking their opinions and developing their ability to act independently. If you don’t, their motivation and energy will wane, and so too, will the protection they provide the organisation…

…so go forth. Close down PowerPoint. Inspire. Build your information security movement. If you lead well, your activists will follow!

And if you need help with your information security movement, get in touch. We can help!

About Fox Red Risk

Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.