Heather Noggle shares some of her insights learned over her 25+ years of translating between English and Tech as an IT, cybersecurity, and people professional.
Heather combines her career across multiple diciplines including HR, full stack, full life cycle developer, executive, business owner, board member to bring a fresh and broad perspective to security awareness.
Challenges to Communicate Security Awareness
There are so many areas to keeping a business safer online from the human factor perspective, it can be challenging to know where to start. Heather recommends always starting with the basics and getting a feel for where your audience is. Make sure the basics are clearly conveyed and look for followup questions to guide the conversation.
When it comes to online risks, she observed that while the risks have indeed changed from 5 years ago the feeling that users have has not - the risk is not readily observable to the end user. Nothing "feels" different when working online in 2017 to today. What typically results is that people accept to move on with their work because they cannot see or feel anything tangible. And it's hard to mitigate a risk if they are not seeing one in the first place.
As such, communicating the risks about certain digital behaviors (or lack thereof) has to be an ongoing and regular conversation topic.
Passwords aren't dead, yet, use them to start a conversation. Knowing where to start can sometimes be a challenge. As online interactions can seem so intangible it's a good idea to start with something that the employee already has a basic grasp of. Passwords have the advantage of already being a concept everyone understands on a basic level but there's enough there most have not considered that we can easily provide some new perspectives on how what used to be considered strong, isn't any longer and the ins and outs.
From there, you can build on their knowledge and lead them along the conversation.
What to consider in communicating Awareness Topics?
When crafting a message to send out to the company or simply having a one-on-one conversation, timing is a big factor that can really boost the receptivity of the topic. Use news events as a springboard for a particular focus on staying safer but be careful not to cover ALL the ways an organization or person should have done x-y-z but rather emphasize one layer of the event and how that can be mitigated. Doing this can take an event that may seem very unrelatable to the everyday user and provide them with a big-picture understanding while walking away with one concrete takeaway.
As Heather commented, "when we invoke curiosity and empowerment, we win."
Making parallels to physical security. Again, taking the conversation to a place where a regular employee can relate in the everyday life in physical safety is a great platform for transitioning to digital safety. We all understand buckling up, wearing a helmet, or looking both ways before crossing a street. Even building safety can be a starting point for talking about online safety habits. Heather did caution against the messaging going towards a fear-based direction. There's a lot of research that has been done that positive messaging is more effective. Check out our interviews with Dr. Alexander Kharlomov or Lisa Plaggemier for more info.
What Topics To Cover for Security Awareness Conversations?
If you follow Heather on LinkedIn (which you should!), she's an expert at weaving stories from a range of day-to-day happenings and tying them back to an aspect of awareness, risk, or prevention.
One way she does this is simply by keeping an open and curious mind as she goes throughout her own day looking for analogies or situations that may be relevant. When an idea pops up she uses a voice recorder to capture the idea in the moment and then follows up to flesh it out further at a later time.
Specifically to LinkedIn, another approach she uses is showcasing another professional's work. When you come across great content, don't reinvent the wheel, build on it. This provides a win/win scenario in which you elevate another professional while adding your own view to the conversation.
Lastly, within your organization, another way to start a conversation or create content is by utilizing the expertise of the vendors you already work with. Inviting them into the organization for a special event to share more in-depth knowledge in a non-jargon way can be a great opportunity to invite your employees to ask questions and get answers.
The one caution would be to ensure with the guest speaker not to lecture but rather provide more of an open Q&A allowing for conversations.
This particular tactic allows also for an 'outside voice' that takes some of the pressure off of the security team and allows them to participate and facilitate engagement instead to foster a sense of community.
Beware of Missed Opportunities
According to Heather, often times we miss opportunities to connect an event to stronger security habits simply due to it being uncomfortable. She encourages security awareness advocates to work to keep the conversation natural and in context, don't try to force the topic but don't be shy in engaging.
Keeping the conversation going, naturally, doesn't always mean it isn't planned, however.
When there is an event - whether in national news or trending topics - it is possible to create events around it to generate more opportunities to discuss.
For instance, invite guest speakers (see the vendor suggestion above) or create memes or posts in close proximity to the topic to help keep awareness top-of-mind. Having these talking points will give you more opportunities to naturally interject or allow the employee to bring the conversation to you.
One added note Heather brought up is around the more formal aspect of security awareness such as ensuring policies are in place. Consider how you'll present them - don't make it dry and formal. Convey the necessary information but tie it to "why it matters" - take it beyond compliance.
As Heather observed, "if you have the opportunity and it's there, take it, don't force it. But when it is there, know what to say. That requires attention and intention - both in knowing what your message is, how to say it, and what's important to your organization."
Attention and intention [are both needed], with intention coming first. So be strategic. Focus on what you want to be as an organization and how security fits in there.
Resources from Heather: