A CISO's guide to: creative employee awareness campaigns
CISO's clapping and laughing Comms campaigns may not be your forte so take a leaf from the Internal Communication handbook to get your message across...
Comms campaigns may not be your forte so take a leaf from the Internal Communication handbook to get your message across
"What we've got here is failure to communicate."
The Captain, "Cool Hand Luke"""
This line from Donn Pearce’s Cool Hand Luke - the story of a recalcitrant southern states prisoner
and 1967 film starring Paul Newman – addresses a fundamental element of human
existence. For without communication nothing happens, outcomes fall short of their
full potential or, in worst-case scenarios, disaster happens.
The dropping of atomic bombs in World War II may not have happened
if Japan’s response to the request to surrender had been translated correctly as:
“We withhold comment – pending discussion,” rather than: “We are treating your
message with contempt.”
In the workplace, failure to communicate can have
significant consequences. An employee survey* looking at work communication in
general found that poor communication leads to:
Higher stress levels (52%)
Delay or failure to complete projects (44%)
Low morale (31%)
Missed performance goals (25%)
Lost sales (18%)
When it comes to gaining understanding, acceptance and action on your information security programme, failing to communicate appropriately and in a differentiated way reduces your chances of success.
Communication campaigns in an InfoSec world
When it comes to
your company’s information security, good behaviours are key, and communication
is a stepping stone to changing behaviours.
So how do you go
about developing and rolling out an employee awareness campaign?
Where do communication
campaigns sit in your world already overloaded with risk assessment, policies, pen
testing, compliance and the like?
Make it personal
To begin with, you
would hope everyone knows cybersecurity is important, but most people don’t appreciate
fully the ramifications of not taking the proper precautions – this is your creative
starting point, consequences. Throughout your employee awareness plan, weave in
stories of how ordinary employees have fallen foul of bad actors and threats
and show the consequences. Bring the consequences to life.
This is not a
fear tactic. Once people understand how it can affect them, their interest
increases along with an openness to seek and listen to more information.
Building your employee awareness campaign
Presumably communication is not your core activity so when considering your campaign, it’s good practice to take a leaf from Internal Communication's book and look to the “Five W’s” - who, what, why, when and where.
1 - Who you talk to - Audience 2 - What you say - Message(s) 3 - Why you are talking - Objective(s) 4 - When you talk - Timing 5 - Where you talk - Channels
Who = audience While you are communicating primarily with staff, keep in mind that communication activity can be adapted for other audiences – shareholders, clients, contractors, suppliers and so on. Across employee groups, there are high-risk users that need addressing specifically. Target them with tailored messages based on the level of risk in their roles. Senior management often need bespoke messaging. To be creative and effective don’t forget one size almost certainly does not fit all, differentiation is the key, and the groups will change over time.
What = messages
Be specific for each message and paint a detailed picture for your employees to help them understand the gravity of potential risks. Each message should focus on specific areas. Illustrate these with concrete examples (stories) and what the repercussions are at work – and equally important at home. For example, inform them what cyber attackers are looking for, what techniques they use, but most importantly how staff can protect themselves (a nice creative touch), highlight the assets under threat and so on. The point is don’t bundle everything together.
Why = objectives
As a CISO you are continually attempting to change behaviour and further improve company culture no matter where you are along the information security maturity curve. These objectives translate directly into your primary communication objectives – simple as that. Keep your eyes on the big prize of effecting behavioural change and leave the creative tactics to your communication experts.
When = timing
The larger the organisation the more that news, surveys, company missives and a whole a host of other communication pieces increasingly deluge employees. But whatever the size of your organisation, to ensure your important employee awareness campaign isn’t lost in the maelstrom of noise, work closely with the internal communication team and plan carefully when your campaign can land and have maximum impact. Which leads nicely to…
Where = channels
This is where your creativity can have a real impact. People absorb messages in different ways so tell your messages through all available relevant channels at the right time. There is no substitute for hearing a consistent message regularly via different formats. There are more than emails - you can use podcasts/blogs, online forums/intranet pages, newsletters, posters, screensavers, lunch-and-learn sessions/town hall meetings, training, Ambassador programmes (see later) and any other available channel.
Top tips to help your employee awareness campaign succeed
Here are some internal communication top-tips and tricks to
make sure your employee awareness campaign is a
These have big audience impact. Connect security at work to security at home. The
best analogies concern personal/domestic stories where the audience feels a
total connection. Furthermore, if you provide resources or tools that help an
employee’s personal security you reinforce the message immensely.
When an employee doesn’t take the bait in a phishing email, reports an incident
promptly through the right channels or your team overcomes a ransomware
attempt, tell the world. Go big on employee stories and allow employees to
share their own. Employee recognition builds a positive climate and drives improved information security attitudes and behaviour.
This helps you carry out activity regularly. Continually drip feed
your content and avoid publishing a deluge of information at any one time.
Little and often works.
an Ambassador network
This is the creative biggie. Get employees to spread the news and - crucially –
feedback to you the ‘word on the street’. Enlist a group of employees from
across all business areas, geographic regions and job levels to be your eyes
and ears. These guys aren’t the Information Security Police, but ambassadors
who create another communication layer in your programme that encourages
further interaction with and among staff.
Employees want to be heard. Go out, ask questions, seek opinions, gather real
world scenarios. Listen and do something with the information you are given.
Employees who feel listened to are more engaged with your messages and feel
more connected to your objectives.
Monitor open rates, intranet page activity, attendance at lunch and learns and
so on. At the same time keep an eye on your information security metrics and
monitor upticks in performance linked to communication activity. Surveys are an
excellent way to measure attitudes to and understanding of information security.
The added benefit is they can identify links to communication activity too.
From failure to triumph
In deploying a
co-ordinated information security awareness campaign – one that not only
transmits, but also receives – you create an environment in which people feel happy
to voice their views. Even better, one where their ideas are taken notice of.
In short, they feel valued. This leads directly to the attitudinal and
behavioural changes required to maximise information security performance.
With this in
place, you will never fail to communicate and, more profoundly, make your
company more secure.