A weekly series highlighting members of our Security Awareness Manager community and their lessons learned while creating and running awareness programs that go beyond checking the box - they make an impact.
This week we're speaking with SAM Community member Gabriel Friedlander, the founder and CEO of Wizer Training. Gaby brings experience not only from his content creation for the Wizer Security Awareness Training platform but also from his days as a co-founder for ObserveIT, that dealt with Insider Threats. Both deal with the human factor in security. If you have seen his posts on LinkedIn, you will know he is a natural and prolific content creator - he has an eye for taking the everyday and framing it in the light of security awareness.
Security Awareness Topics - Create a Common Language
"When you strategize and look at the security awareness program, you first need to cover some of the basics in order to create a common language."
Security awareness is like any other education, you have to first be sure you have the basics down. That includes ensuring learners have an understanding of some of the language for the topic. While they don't need to be a walking Wizenary, er, dictionary, of cybersecurity definitions, they do need to understand the basic jargon. And this can be the first stop in your journey of content creation - ensure the basic definitions are understood so learners new to cyber awareness can be successful.
Gaby mentioned that one way Wizer does this is through their "man on the street" interview series, Wizer in the City. Take what seems 'basic' to those in the security field and approach the general members within your organization to gauge the general knowledge and perception of the basic terms we like to throw around in awareness training.
Some basic topics for a security awareness training presentation can include: "What is security awareness?"; "What is phishing?"; "Why would a hacker target you?". Depending on your audience, it sometimes helps to lead with an example to get the conversation going as they may not even understand hacking is not limited to lines of code but can be done through a phone call.
Also consider topics that may be commonly thought to be relevant only to a select crowd, but in cyber it has broader definition, such as wire fraud. Typically, people may define wire fraud to only instances when money is wired for business rather than understand wire fraud can begin with a hacked email account from a trusted lawyer asking to redirect funds to a different account.
Think Like A Marketer - Do Audience Analysis
Next, it's important to understand your company's audience. Prioritize based on the findings from the risk assessment that identifies the departments and individuals who are the most critical to the business and match the training with the risk. Gaby gives the example of a company whose biggest risk is code-based and the concern if developers are hacked then the customers will follow and ruin company reputation. This knowledge allows you to go beyond the basics within the dev team trainings to ensure more specific examples and trainings are created to help ensure a stronger understanding and awareness is achieved.
"We want to create engagement with our audience - with our teams. We want them to get excited with what we have to tell them. We want them to take that home and become ambassadors; to basically go from a learner to a teacher at home."
Continuing to wear our marketing cap when building out topics to cover, next it's helpful to consider engagement. For Gaby, his goal in creating content is to create excitement that leads to action; to take the individual from being a 'learner' to a 'teacher' at home.
To do this, start with the end result in mind and then look for topics that will generate the interest and engagement you're looking to achieve.
Pop Culture is an Easy Conversation Starter
One simple tool to use for finding topics to generate security awareness conversations is simply keeping a pulse on what's going on in the world around us. Netflix's The Tinder Swindler and the recent trial of celebrities Johnny Depp and Amber Heard provide ample opportunities to discuss the telltale signs of romance scams and the context of privacy and how much one really means when privacy is indeed invaded.
Follow the Seasons
"It's not only the topic itself, it's also when you talk about a topic that's important."
Just as following pop culture can provide a wealth of content that is interesting, another tactic is to keep an eye on the upcoming 'seasons' to drive topics that are timely and relevant. This goes beyond the holiday seasons, but that's a good start. Thanksgiving and Christmas are well loved by cybercriminals in the online shopping frenzy of Black Friday and Cyber Monday deals. Educating users about identifying fake ads and being wary of too-good-to-be-true discounts will be readily received during these times. Other seasons include tax season, summer travels, Valentine's Day and the like.
TIP! If you're company has a marketing department, consider making friends with the social media manager - they usually have a calendar year's worth of holidays and events that might provide guidance for your own awareness calendar."Security awareness in general requires a collaboration...put on that marketer's hat or mindset when you're pushing out content to your team. One of the drawbacks we have in security awareness is we're forcing people to watch our content but we don't really know if it's engaging [the audience]."
First Impressions Count!
Gaby stresses it's important to note whether you're capturing the audience's attention within the first few seconds. Whether it's custom content or a video you purchased, it's also how you're sending it. The video you send may have the best, most engaging content but if the subject line to the email is a flop, that email will remain unopened. (Of course, there is the matter of utilizing different channels to also push out content but that is for another conversation).
Additionally, when creating content, especially for something such as a video, even if it's only 3 minutes, that is not enough. Ask a marketer and they will tell you, you have to hook the viewer in the first few seconds before they scroll on (if not required) or zone out (if they must sit through it). As Gaby remarks, "It's just so hard to concentrate on something you just don't care about. When you create the content, think about that. This is also true on social media. You may say the smartest thing ever [in a text post] but if your first two lines didn't capture anybody's attention, it's going to get missed."
Does that mean the content is a flop and to throw it out? Not so fast!
Sometimes it's as simple as reposting it at a different time and day - it could be the timing just was not a good day to send the message. Any social media marketer will assure you resharing content is not a bad thing because it reaches different audiences each time when distributed across different days and times.
Change It Up
If your aim is to achieve a stronger security culture then going beyond the topics of what is mandatory is imperative. Along with varying the topics to align not only to business needs but seasonal trends, it's important to vary the WAY the content is delivered.
If video training is your typical method for the standard awareness training, consider taking that content and giving it new life such as bullet points on keeping data secure on a one-page PDF to leave near the printer or in the break room; create a fun meme that communicates an idea and share to your internal social channels; make a GIF or create screensaver users can download. Just as there are different styles of learning, there's different preferences for consuming content. Videos really are not everyone's cup of tea, even if they are short. Some people prefer bullet points and others enjoy going more in-depth.
Where Else To Find Ideas for Security Awareness Topics?
If you're unsure if a topic will be interesting, one of Gaby's tried and true methods is to first test it as a social media post on LinkedIn. If the post generates a lot of conversation and engagement, he'll take it and create content from it.
In marketing, this is known as User Generated Content and it is typically some of the best performing content created because the idea came from the audience you are targeting. Reading comments on relevant threads can also provide content ideas - did someone ask a question? Create content that answers it! Are several people reiterating a particular theme? Boom. Content!
Also finding or creating channels within the company can also provide these insights and are all the more valuable as they are exactly the audience base you're working with.
"Security awareness is a two-way street. It's not just us broadcasting with a PA system and hopefully everybody will listen to us...we have to create that engagement and it's up to us (security awareness managers) to use different tools."
Another way to generate engagement is through providing a platform for team members in the organization to share their own stories, or of someone they know of being hacked. This then opens up more opportunities for speaking on different topics that are not dictated to them but are relevant to their own stories.
In short, creating topics and content is an ongoing effort with lots of room for creativity!
Gaby's top three tips when getting started:
1. Learn are the company requirements are for compliance and regulation (HIPAA, CCPA, GDPR, etc) and start there.
2. Cover the basics and make sure people have a foundation around the concept of social engineering and understanding of basic terms.
3. Be curious and focus on engagement!
"Once you understand engagement, everything else will follow. If you understand that that's your job to create that engagement, that curiosity from the team's point of view [and create] that open door, then topics will start flooding in and you'll be relevant all the time."
Security Awareness Training Presentation: 25 slides to cover all the basics plus a bit more. Downloadble PDF to use as plug-n-play presentation, or customize to your needs!