Lessons Learned: Security Awareness as Thought Leadership

Shifting our insights on security awareness programs, this talk features Aliza Hughes, Director of Thought Leadership for social media agency ZoecialMedia. Our discussion will explore tips and ideas how an awareness manager can apply being a thought leader within their organization to effectively communicate and raise awareness around the topics of online security for their employees.

"The more you show up [across] platforms, the more you can be seen as a "thought leader", which is just really a fancy way of saying an expert in your field...The more that you share your knowledge and your expertise and everything that you've learned along the way, the more you can grow your own following - which is obviously a benefit - but the more you can also actually bring more visibility and credibility to your company, also. So it's really a 'rising tide lifts all boats' kind of effect."

Make yourself the address for security questions

Effective security awareness programs are ones that promote on-going conversations around online safety. One way to establish this is through viewing yourself and your team as thought leaders on awareness topics for your organization - a sort of internal 'thought leadership' team, if you will. Utilizing tips and tricks professionals use to establish themselves as thought leaders creates familiarity and trust with one's audience to where eventually they view you as the address to come to for their curiosity, thoughts, questions, and concerns.

"By being somebody who is out there and addressing those questions [people] didn't even realize were questions; before people even realize that they were thinking about them, you're already getting into the back of their consciousness. And you're going to start dripping this information out in a non-threatening, non-aggressive way."

Aliza compared this idea of a consistent flow of messaging to being at a conference. You're at your booth, sharing your info with attendees milling around. The first time by, they may only note you're speaking on a particular topic but don't stop to engage. However, as the conference goes on, they become more familiar with you and once a question arises that's relevant, they approach and engage.

How to establish yourself as a thought leader within your organization?

How to get started? In short, start sharing info. Consistently share short thoughts about topics dealing with security relevant to your employees and leadership teams. Whether through internal messaging - like a company Slack channel - or via external channels - such as LinkedIn - begin sharing a single issue, thought, or tip relevant to security awareness on a regular schedule.

While consistency is critical, it doesn't mean annoying - the rhythm can be once a week or even once a month for internal channels. If you're looking to include LinkedIn or Twitter then once a week can be a great start (and even increased if you feel you have time for that as it'll be going to a much wider audience). 

What to talk about?

At first, it may be just reiterating the basics but as time goes on you'll need to go beyond that. Use current events and pop culture to generate topics of conversation. The Tinder Swindler was (sadly) a great one for listing out how to identify romance scams and the latest data breach can serve as an opportunity to share about haveibeenpwned.com for personal security checks.

Making news events relevant to individuals in your org and offering simple tips they can implement in their own lives will make them more receptive to future messages shared. For other inspiration on topics for awareness that are beyond the basics, check out our conversation with Wizer's founder, Gabriel Friedlander, to hear his creative approach.

This can sound like a lot of work, and as a busy cyber professional who wears many other hats in addition to the security awareness manager hat, you don't have much time to spare. Keeping a doc handy to post ideas and current events you might want to use is a good start. Then, block out one hour a month to write up the posts around those topics and 'schedule' them.

Aliza had a great tip for one way to schedule your content - create a calendar event/reminder with the text of the post included inside the event. Then on the day scheduled, you simply have to copy/paste to the relevant channels and you're done.

How long should a post be?

Just long enough to communicate the information. A thought leader doesn't have to be someone who is verbose in every message, but rather can convey one topic clearly and concisely. Don't get stuck on making it a perfect post - it just needs to communicate. "Get in, get out, say it quickly because people are lazy and will stop reading as soon as they get bored."

It may be tempting to share every best practice in regards to preventing a BEC, but that will get lost and forgotten. It's best to stick to a limited instance and 2-3 tips. You could even make a series out of something that is more complex using the series format to break it down into bite-sized segments. To reiterate, length is not as important as consistency.

"The more you can get yourself out there on a consistent basis, the more people will start to see you as this constant in their feeds and in their lives and they'll know that they can come to you because you're active and they can approach you on these topics."

With all that said, don't overthink the messaging. Aliza's advice is to write the way you speak. "Pretend you're actually talking to someone on your team and just write that conversation." 

What types of post are best? Text? Video? Meme?

There's not one 'best' type of post as different types of people prefer consuming content differently. So, if it's possible, creating a mix of content types can give your message better reach with different audiences. Which is good news for you because that means you can also take the same content you wrote and turn it into a meme or make a short Top 3 infographic or quick video.

Use the types of content that work for you and you're comfortable with as you'll communicate best. However, there are some good tips to keep in mind when formatting text.

Make sure to include a lot of whitespace - when people see a wall of solid text, no matter how well written, it's typical habit to scroll on past. However, text that has short paragraphs with space in between is easier for the brain to quickly scan and zone in on info that catches interest. Even this article is composed with that in mind!

Videos are popular for a reason and the good news is they don't have to be a 'professional quality' to be successful. Today's society appreciates a candid video if the info is relevant and helpful. As stated earlier, though, if you're not comfortable with video, there's no need to force it. If you have a security team with a more outgoing personality willing to make a video every now and then that works, too - just keep the message short and actionable!

Don't reinvent the wheel!

There's plenty of free resources available that have created infographics, best practices and more that you can also use to push out awareness. Being a thought leader doesn't mean you only have 'original' content, rather, it means you  know where to find content and share it, too. You curate content that is relevant for your audience. See resources at the end of this article to get started.

Use linkedIn to reach your employees, too

In the past year, LinkedIn has created a more interactive experience for businesses with 10+ employees through what is called their Employee Advocacy feature. If enabled, employees who are connected with the company page will have a special tab "My Company" that is a special view to only employees of that brand. There they will see other teammates posts as well as recommended content. The more you share awareness tips and tricks on LinkedIn provides an indirect method to reach some of your company members in a non-aggressive manner. Check with your marketing team to see if this feature is available and active. 

Also through engaging more with key members in your company via LinkedIn, the more you will each see the other's content in your feed. Another way to share out your message with out directly sharing :) 

Alternatively, you can share your message on LinkedIn and then share the link to that post on internal channels.

Other Tips

Aliza recommends using social channels to connect to other leaders in security awareness to learn from and be inspired by the content they are creating. While not everything may be applicable to your business needs in terms of risk and awareness, hearing other discussion can jumpstart ideas you may not have thought about. Additionally, join communities to network and brainstorm as well - Wizer's Security Awareness Community is a great start (we think). 

On social media, use hashtags to search for ideas as well - anything relevant to security risks, attacks or prevention - to find what others are talking to help spur ideas for your own content, too.

"Just starting posting and getting comfortable with it, with being a 'voice', it's difficult for people...but the more you do it, the more you get comfortable with it. Then you stop obsessing about the wording and the little things and you start seeing the big picture as well as the benefits. If you can stay consistent with posting, you're going to start seeing that people are responding in a positive way, you're going to grow your network and you're really going to be able to feel the growth of your leadership."

Resources:

Wizer's Community Hub for Security Awareness has crowdsourced materials from podcasts to cheat sheets on awareness topics and best practices.

StaySafeOnline.org 

NIST.gov 

Connect with Aliza on LinkedIn and while you're there check out our Security Awareness Manager community.