Your team lacks awareness of information security risks. How can you engage them effectively?

Change happens when the pain of staying the same is greater than the pain of change. Tony Robbins Whilst we as security professionals tend to avoid and warn people, organisations on risks and even might get very frustrated advices (and to be honest not always actionable) are not followed...it is sometimes needed to experience somekind of pain. However never, ever, do this for high risks...because...well...the risks are too high and " accepting" this would be a professional fault.

Being able to answer the question of “Why should I care?” goes a long way in helping someone understand their role as a risk manager. It’s all about context.

It is crucial to provide a tailored cybersecurity training categorized as per the roles and responsibilitues of each team. Of course, there are some common training topics required to be covered for all the staff or team in general. Otherwise, it might become even boring for most of the training attendees if not customized to their job function. Hence, most of the cybersecurity training topics must be provided as per the job requirements in order to get up to the engagement level required from each team, which can also result in improving the information security culture within the organization as a whole.

If you have the available experience, base the training exercises on real-life incidents that you have been involved in. By conveying the realities of an incident you (or someone on the team) experienced, you’re subliminally telling the trainees that this could happen to them. This incentivises them to absorb the material. Off-the-shelf, generic training is rarely relatable.

Create customized gamified learning paths tailored to different roles. New hires can start with basic cybersecurity principles and more experienced team members can tackle advanced challenges related to their specific roles, such as secure coding for developers. Enhance the gamification experience by integrating real-world scenarios. Create scenarios based on recent cyber threats that the organization has faced. Implement a continuous feedback and reward system. Offer tangible rewards such as digital badges or even small prizes for top performers.

Another interesting way of learning revolves around Table Top simulations. Building and effectively using scenarios is a good way of sharing and learning as it imbibes principles of story telling, brain storming, scenario building, practical involvement.

Organize contests or challenges that reward individuals or teams for identifying vulnerabilities or coming up with the best security practices.

Gamification should be considered as it is probably the most effective and seamless way to obtain traction with employees, especially on a topic this sensitive!!!

O senso de evolu??o no aprendizado muitas vezes é difícil de mensurar. Campanhas gamificadas de seguran?a da informa??o no ambiente corporativo ajudam muito no engajamento e pode auxiliar na transparência do aprendizado quando inserido uma metodologia de pontos, fases ou mesmo ranking.

Stories are the lifeblood of culture change. It is an often-overlooked artform, but to make people aware of risks, telling stories are part of the way to get people to understand what the real risks are. Seeing the impact of real-world events and asking how it might impact the conversation brings others into that story telling process, to make them feel part of the solution can be a powerful way to create change.

Storytelling has a strong effect on people. One challenge in this method is that the skill of telling stories and using metaphors to persuade is not widely used. However, it is one of the best ways to influence and engage an audience. Using stories in cybersecurity awareness can clearly explain the importance of cyber threats and how to stay safe in a way that is easy to understand and remember.

When we are giving security awareness training.We should always see that we take real examples to show how security is necessary so that the employees know on how to secure their data or personal information from unknown people

En 2018, j'accompagnais le RSSI d'une entreprise dans le domaine de l'asset management. Pour sensibiliser le Comex et l'engager dans la transformation de la cybersécurité de l'entreprise, nous avons invité un directeur de la cybersécurité d'une grande entreprise qui avait subi une cyberattaque de type ransomware, afin de partager un retour d'expérience sur la gestion de cette crise et son impact sur les affaires. Après ce témoignage, le Comex a débloqué un budget important pour mener à bien des projets majeurs et prioritaires de la stratégie cybersécurité de l'entreprise.

Sharing stories should be understood as a record of lessons learned. If the organization has an efficient incident management system, these stories can be recovered. However, not all past stories can be used as prevention due to the current state of implementation of information security policies. Finally, the organization needs to be able to manage and disseminate this knowledge, especially regarding threats and vulnerabilities that have already been resolved.

1. Leadership Involvement: Have leaders model security behaviors to emphasize importance. ( #1 and a little of companies lacking) 2. Interactive Training: make sessions engaging. 3.Real-World Example: Share case studies of breaches to highlight impacts. 4. Regular Communication: share security tips often 5.Recognition: Reward those demonstrating good security habits. 6.Feedback: Allow team input on security practices to foster ownership. 7. Discuss: how security affects personal lives, not just work.

The most important is cultivating a culture of IT security that will put all required processes, governance and tools together Foster a culture where everyone is taking ownership of security and compliance is a key To have such culture training, tools, leadership’s engagement and connecting IT security with all JDs and business goals is very essential

It's more than important to ensure that leadership is visibly committed to information security. When there is a continuous prioritisation and discussion including reasoning, it sets a tone for the entire organization. Also when security reponsibilities are integrated into the job roles and processes it ensures maintenance and continuous improvement as well, in my opinion.

Risk aware cultures are difficult to build for many cultures as it often requires a shift in thinking from a purely technological one to a risk one. It requires continual education and an organization where continuous learning means more than just sending the team to training, but continual conversations about risk, the threat landscape, data, and continual conversations. There are multiple vehicles to accomplish this including creating security champions programs, education sessions, and bringing everyone around to evaluate the risk. It requires creating a culture where people are not stretched for time. It can take years to build, but the rewards can be great. Even small steps can created market improvements.

Building a risk-aware culture is challenging because it requires shifting from a purely technological focus to understanding cybersecurity as a broader risk management issue. This involves continuous education, regular discussions on threats and risks, and creating initiatives like security champions programs. The key is fostering an environment where employees have the time and resources to engage in these efforts. Though it may take years to establish, even small steps can lead to significant improvements in security and overall risk management.

Providing the right tools can empower employees to practice good security habits. Implement user-friendly security tools that help safeguard sensitive information, such as password managers, multi-factor authentication, and secure communication platforms. Training employees on how to effectively use these tools can reduce the burden of maintaining security and make it easier for them to integrate these practices into their routines.

La inversión que debe realizarse por parte de las compa?ías en herramientas, por si sola, no es suficiente. Una herramienta por mejor que sea, sin una estrategia de monitoreo, seguimiento, control y acción activo-preventivo, es tan importante como tener las mejores herramientas en ciberseguridad. Puedes tener el mejor anti-spam, pero si no tienes una estrategia y plan de acción, el programa por si solo no te va a proteger. Recordemos que la ciberseguridad es una materia en constante evolución que implica un esfuerzo importante en cualquier estrategia de TI, sobre todo, porque las inversiones, tienen un ROI diferente de analizar y sus resultados deben impulsarse para que sean visualizados

Certain tools as well as processes should be considered table stakes at this point. Password managers are great examples of a tool that is low cost, easy to implement, and have a big impact.

Empower Champions One effective strategy is to identify and empower "security champions" within your team. Simulate Real-World Threats Conducting regular simulations, such as phishing tests or mock data breaches, can be an eye-opening experience for your team. Leverage Microlearning Consider breaking down cybersecurity training into short, digestible segments delivered over time. Promote Accountability Encourage a sense of personal accountability for cybersecurity among team members. Customize Communication Channels Use multiple communication channels to reinforce information security messages. Celebrate Successes Finally, make it a point to celebrate successes and milestones in your team's information security journey.

I think it’s important before delivering any training to understand first what it is they don’t understand in the Information Security department. Only the best training is effective if it meets the needs of the team. Look at the challenges departments and individuals are having, where are the vulnerabilities? Understand the weaknesses, errors and data particularly from the Helpdesk. For example, if there is a high number of calls to the Helpdesk for password recovery, then we know we can tailor training to support employees to set up passwords with more confidence and stronger execution. By listening we learn how to be better.

Create a safe space where team members can discuss security concerns or share ideas for improving security. This helps in building a security-aware culture where everyone feels responsible.

Effective feedback loops require proper measurement of controls in your secure development lifecycle. If you can automate them using a platform and track performance on how well development teams are managing vulnerabilities, identify trouble spots in code, and put in additional safeguards and refinements to training from above, you will have a resilient feedback loop that is contributing to the security posture of your SDLC teams. This will also allow stakeholders to accurately measure risk across engineering efforts at your company.

Risk comes or arise from not knowing things with respect to when, why, what and how. These are the key practices to be followed by individuals while performing their job. These simple and most effective way of dealing with risk. However, most of the times people run around from pillar to post with a huge burden of complex theory and processes without knowing why they are doing what they are doing. Big irony but it's quite true position of employees working in majority of organisation across the globe..