By Chrysa Freeman, Security Program Manager, Code42
June 18, 2020
There are many ways to lead people, some are more effective than others and there are lots of experts in the field of leadership. I don’t propose to be an expert, but as someone who has observed good leaders and bad leaders, there are some traits that I think are critical for success which translate perfectly in supporting a successful Security Awareness program.
In my summation, the measuring stick of a visionary leader is whether or not you are getting positive results over time. Short term results are not hard to come by and can sometimes be the fruit of a heavy-handed leader. But anyone in Security knows that FUD (fear, uncertainty and doubt) is neither fun nor effective.
The four leadership traits that I admire most are also ones that a security awareness professional can use to improve their program.
Trait #1: Have a Clear Vision
For your vision to come to life, you need everyone in the company to be on board with it and keep it top of mind as they go about their day. In security awareness you already have a clear vision: influence employees to adopt behaviors that help minimize risks at your organization. The key is getting your message through to folks and getting it to stick. You can do this using repeatable, relatable and doable messages:
• Repeatable – As in advertising, people need to hear a message multiple times and in multiple formats before they’ll notice and remember it. Communicate in all channels where employees go for information which may be different across the organization. Use your security ambassadors to repeat your messages. Whether or not you have an official ambassador program or not, you probably know security enthusiasts or influencers in your organization that may be willing to help.
• Relatable – Let’s face it, we are drawn to things that match our image of greatness. Use language and images that match your culture and your vision of the future. In the current pandemic environment, we need to pivot as our employees have pivoted their image of their best selves from the kitchen table instead of from their office. We are also in the midst of racial tension and injustice, protests and anger. It’s okay to recognize and relate to that in your messages, if appropriate. Be transparent, be real, be honest but be careful of using it as a prop to look relatable. People will see right through that.
• Doable – If a security training isn’t on the top of employees’ fun and productivity lists, which is usually the case, then make it as digestible and short as possible. They can fit a 3-7 minute training in on almost any given day. They will need to block their calendar to fit in a 30+ minute training. Also provide easy to access resources for employees to find what they need. For instance, is your policy hidden behind a firewall right now that requires employees to use VPN? Do they need to encrypt outbound emails and, if so, are instructions and tools easy to find and use? I suggest using small and easy to remember search terms on your intranet or where you house information you want everyone to find. For instance, with email encryption, using the title or tagging the page with “email encryption” will make it easier to find than a page titled by the name of the vendor you use for encryption. Make things short, simple, sweet and easy if you want people to take action on them.
Trait #2: Listen, Listen, Listen
You can’t lead people effectively if you don’t know who they are and what makes them tick. Coffee chats with smaller groups are a nice solution in the office. But now that we are remote, a much more effective opportunity to know your employees is to use Slack or MS Teams and join ALL CHANNELS. Yes, it takes time but once you are caught up, you’ll see what your employees are talking about. (Hint, they are talking about what is important to them.)
As any good communications guru will tell you, the success to good relationships is in your ability to listen. Our CEO is now doing this and so am I. I want to know what interests people, what urks them and what conversations and groups they are drawn to. Using myself as an example, besides my project channels you’ll find me in the dog, wine and work-from-home-confessions channels. What does that tell you about me?
Additionally, as humans, we rely heavily on reading facial cues or microexpressions to understand whether the people we are communicating with are receiving our messages. At Code42 we encourage the use of video in all our meetings which started because it’s just really nice to see our co-workers while we are all social distancing. Secondly, it also gets people up, hair and teeth brushed and out of their pajamas for a “day in the office,” But for a leader and an awareness professional, using video is so critical for us to better understand and relate to those we are conversing with, adjust our messages if needed, and in general, communicate much more effectively. So if your company and leadership are not supporting this, I’d suggest trying to influence them (your HR partners will probably back you on this) or make sure you use video yourself as a role model. It’ll catch on because most people will want to show their face since you are showing yours.
Trait #3: Say Thanks
So easy and yet so hard to remember to do frequently and at the right time. Imagine these two scenarios; 1.) your kid asks for $20, you give it to them and the dash out the door, or 2.) your kid asks for $20, you give it to them, and they hug you or say “thank you, this is great!” before they dash out the door. Captain obvious is going to guess that most of us would prefer scenario 2 and it isn’t any different with your employees.
When we get above average results from our phishing tests, we tell them they need to up their game because we need them as part of the team protecting the company. When they do really well, it pays dividends to stop and thank them. Gifts like gift cards, donuts, pizza are always appreciated but since those are hard to distribute right now, a heartfelt thank you via email or on an all-company channel fuels the fire for everyone to continue to work together to keep protecting the company. If you can have a thank you come from your CISO or better yet, your CEO, it will be even more impactful.
Trait #4: Empower people
The people we work with are smart and driven or we wouldn’t have hired them. We should be communicating and training to their highest good to nurture that out of them. If you treat someone like they’re stupid, over time, they’re probably going to act stupid because that’s what you’ve been expecting from them. Instead, empower them to join you in protecting this company that provides us pride, learning, development and paychecks, at the very least. This is easier to do if the leader at the top has helped build this type of culture already but if not, you can still take it up as your modus operandi.
We recently built our own employee insider threat training that is much different than anything I’d seen on the market. Instead of teaching the indicators of an insider that employees should watch out for in each other and report upon, we outlined what we want from people, especially when storing, sharing or moving data and reassured them that we will always assume positive intent until it is clear that something malicious happened. Assuming Positive Intent is one of our values at Code42 so that helps but we know that most security events and incidents we face day to day are a result of human error or negligence rather than malintent. So we outline what is expected of them and ask them to partner with us for solutions and report anything that doesn’t support that. We communicate, often, that our security team is more interested in proactively solving problems together with users and the business than on spying on them. You can view the training here and use it as you wish at your own company
Chrysa Freeman has been in corporate security for 13 years. She’s built security awareness programs from the ground up in various industries including retail, technology, and healthcare. Chrysa is currently Manager of Security Awareness at Code42. She is passionate about the juncture where security and the science of human behavior intersect. Chrysa enjoys sharing her knowledge on building world class security awareness programs and insider threat issues. Most recently she has spoken at Secure360, ISC2 Congress, The Wall Street Journal Cybersecurity Forum and the Minnesota Continuing Legal Education Conference.