CISO Guide: use internal communication principles for creative employee awareness campaigns

Comms campaigns may not be your forte so take a leaf from the Internal Communication handbook to get your message across

"What we've got here is failure to communicate."

The Captain, "Cool Hand Luke"""

This line from Donn Pearce’s Cool Hand Luke - the story of a recalcitrant southern states prisoner and 1967 film starring Paul Newman – addresses a fundamental element of human existence. For without communication nothing happens, outcomes fall short of their full potential or, in worst-case scenarios, disaster happens.

The dropping of atomic bombs in World War II may not have happened if Japan’s response to the request to surrender had been translated correctly as: “We withhold comment – pending discussion,” rather than: “We are treating your message with contempt.”

In the workplace, failure to communicate can have significant consequences. An employee survey* looking at work communication in general found that poor communication leads to:

• Higher stress levels (52%)
• Delay or failure to complete projects (44%)
• Low morale (31%)
• Missed performance goals (25%)
• Lost sales (18%)

When it comes to gaining understanding, acceptance and action on your information security programme, failing to communicate appropriately and in a differentiated way reduces your chances of success.

Communication campaigns in an InfoSec world

When it comes to your company’s information security, good behaviours are key, and communication is a stepping stone to changing behaviours.

So how do you go about developing and rolling out an employee awareness campaign?

Where do communication campaigns sit in your world already overloaded with risk assessment, policies, pen testing, compliance and the like?

Make it personal

To begin with, you would hope everyone knows cybersecurity is important, but most people don’t appreciate fully the ramifications of not taking the proper precautions – this is your creative starting point, consequences. Throughout your employee awareness plan, weave in stories of how ordinary employees have fallen foul of bad actors and threats and show the consequences. Bring the consequences to life.

This is not a fear tactic. Once people understand how it can affect them, their interest increases along with an openness to seek and listen to more information.

Building your employee awareness campaign

1. Who = audience
   While you are communicating primarily with staff, keep in mind that communication activity can be adapted for other audiences – shareholders, clients, contractors, suppliers and so on. Across employee groups, there are high-risk users that need addressing specifically. Target them with tailored messages based on the level of risk in their roles. Senior management often need bespoke messaging. To be creative and effective don’t forget one size almost certainly does not fit all, differentiation is the key, and the groups will change over time.

2. What = messages
   

   Be specific for each message and paint a detailed picture for your employees to help them understand the gravity of potential risks. Each message should focus on specific areas. Illustrate these with concrete examples (stories) and what the repercussions are at work – and equally important at home. For example, inform them what cyber attackers are looking for, what techniques they use, but most importantly how staff can protect themselves (a nice creative touch), highlight the assets under threat and so on. The point is don’t bundle everything together.

3. Why = objectives
   

   As a CISO you are continually attempting to change behaviour and further improve company culture no matter where you are along the information security maturity curve. These objectives translate directly into your primary communication objectives – simple as that. Keep your eyes on the big prize of effecting behavioural change and leave the creative tactics to your communication experts.

4. When = timing
   

   The larger the organisation the more that news, surveys, company missives and a whole a host of other communication pieces increasingly deluge employees. But whatever the size of your organisation, to ensure your important employee awareness campaign isn’t lost in the maelstrom of noise, work closely with the internal communication team and plan carefully when your campaign can land and have maximum impact. Which leads nicely to…

5. Where = channels
   

   This is where your creativity can have a real impact. People absorb messages in different ways so tell your messages through all available relevant channels at the right time. There is no substitute for hearing a consistent message regularly via different formats. There are more than emails - you can use podcasts/blogs, online forums/intranet pages, newsletters, posters, screensavers, lunch-and-learn sessions/town hall meetings, training, Ambassador programmes (see later) and any other available channel.

Top tips to help your employee awareness campaign succeed

Here are some internal communication top-tips and tricks to make sure your employee awareness campaign is a success:

• Powerful analogies
  These have big audience impact. Connect security at work to security at home. The best analogies concern personal/domestic stories where the audience feels a total connection. Furthermore, if you provide resources or tools that help an employee’s personal security you reinforce the message immensely.

• Celebrate success
  When an employee doesn’t take the bait in a phishing email, reports an incident promptly through the right channels or your team overcomes a ransomware attempt, tell the world. Go big on employee stories and allow employees to share their own. Employee recognition builds a positive climate and drives improved information security attitudes and behaviour.

• Communications calendar
  This helps you carry out activity regularly. Continually drip feed your content and avoid publishing a deluge of information at any one time. Little and often works.

• Create an Ambassador network
  This is the creative biggie. Get employees to spread the news and - crucially – feedback to you the ‘word on the street’. Enlist a group of employees from across all business areas, geographic regions and job levels to be your eyes and ears. These guys aren’t the Information Security Police, but ambassadors who create another communication layer in your programme that encourages further interaction with and among staff.

• Listen
  Employees want to be heard. Go out, ask questions, seek opinions, gather real world scenarios. Listen and do something with the information you are given. Employees who feel listened to are more engaged with your messages and feel more connected to your objectives.

• Measure
  Monitor open rates, intranet page activity, attendance at lunch and learns and so on. At the same time keep an eye on your information security metrics and monitor upticks in performance linked to communication activity. Surveys are an excellent way to measure attitudes to and understanding of information security. The added benefit is they can identify links to communication activity too.

From failure to triumph

In deploying a co-ordinated information security awareness campaign – one that not only transmits, but also receives – you create an environment in which people feel happy to voice their views. Even better, one where their ideas are taken notice of. In short, they feel valued. This leads directly to the attitudinal and behavioural changes required to maximise information security performance.

With this in place, you will never fail to communicate and, more profoundly, make your company more secure.

*Communication barriers in the modern workplace
The Economist Intelligence Unit and Lucidchart