5 Lessons from a Month of Security Awareness Barnstorming
By the time this publishes, I’ll be nearly done with one of the more frenetic months of my life.
This October, I’ve been barnstorming.
Not the kind of barnstorming in the picture—I wish!
Instead, I’ve been going from company to company (virtually of course), performing my cybersecurity side show to help support Cybersecurity Awareness Month. My talk focuses on some simple skills people can practice to navigate the digital world, at work and at home.
My goal was to convey as much useful information as I could. But in the process, I learned some stuff, too! Here are some takeaways that may be useful to you:
People Dig Stories
Here’s the feedback I heard most: “I liked it when you told that story about …” And it’s no surprise: stories work, especially when they’re real.
When you tell a story about yourself or your experience, people can tell. They empathize, and they put themselves in your shoes. They can imagine themselves in the situation and if you present a story that helps people understand how you’ve solved a tricky problem, it helps others imagine themselves solving their own problems.
Ultimately, what gets me out of bed in the morning is that idea that I can help people better understand cybersecurity and privacy—and stories are a great tool for that.
Keep It Positive
I made a point not to lean on fear (or uncertainty or doubt) to stress how important cybersecurity was. Instead I focused on an upbeat message about how capable they were when it came to controlling their personal data, batting aside phishing, using passwords, setting up home Wi-Fi networks, etc.
I didn’t want people leaving my presentation saying “Man, the Internet is a scary place”; instead, I was hoping they’d think, “You know, I got this.” That’s the kind of attitude I want among my employees.
Make It Practical
What draws people to these cybersecurity talks?
Are they seeking “credit” toward some compliance mandate? Did they have an hour they needed to fill? Or were they confused or bored by their regular security awareness training and hoped this was a chance to fill a gap in their knowledge, maybe learn something?
I’ll never know for sure, so I worked from the premise that people wanted to hear a real live person talk about this stuff, and maybe pick up some tips that would work them.
This means I kept it practical—here’s how skeptical you need to be about email; here’s the crazy, stupid, and sometimes devious ways social engineering works; here’s how freaking wonderful it is to use a password manager.
My goal was that everybody could walk out with two or three things they could do a little differently.
Keep Up the Energy … and the Authenticity
My biggest fear in doing these presentations was that I’d be boring. So in the months leading up to October, I started watching people on web meetings and webinars really closely.
One thing was clear: energy and authenticity mattered. People who delivered with low energy and a monotone voice just made me want to flee.
But energy alone wasn’t enough. I saw one person deliver a presentation that pulled out all the high-energy tricks—body movement, energetic voice, big gestures, looking right at the camera—but it was clear that it was just a show. I didn’t BELIEVE it at all, because I didn’t think this person really cared.
It’s when people combined energy with actually caring, based upon their authentic interests, that I really engaged. So I tried to bring energy to my presentation. I reminded myself that I really liked talking about cybersecurity, and that this was an opportunity to get other people excited too.
All while showing the “real me,” not some showman version. This feels risky, I must admit, because when I look in the mirror I see a boring old guy who gets overly excited about password managers. I ultimately just decided to own that and offer it up with as much passion and honesty as I could.
If you’re preparing to do this yourself, I’d just say take the chance of letting people see the real you.
Prep, Practice, and Revise
Years ago, our CEO used to insist that I give him a dry-run on my presentation if I was going off to represent the company at a conference. It irritated me, but I have to admit it always helped and I’ve incorporated this practice into my routine.
This year, I did two dry-runs before the first live show (at 5AM on a Thursday morning!). I was glad I did—it smoothed out the kinks. And as I gave the presentation again and again, it got better and better, my delivery smoother and more convincing (well, to me at least).
This practice also helped me revise—every time I found a little rough spot in my presentation, I revised it before the next one. I think the folks who got me at the end of the month got the better deal.
In this time of virtual meetings, the other thing I did was prep calls. There are so many video conference tools out there—Microsoft Teams, Zoom, WebEx, and GotoMeeting—that doing a quick prep call in advance ensured that we ironed out any of the kinks. I felt better and believe me, so did the meeting organizers.
This last point reminds me of the added bonus to barnstorming: you meet some awesome people. The energy and enthusiasm I felt from my colleagues in Poland, Washington, DC, Houston, San Francisco, Cincinnati, and beyond really made this last month a real treat.
Here’s hoping that as October comes to an end, my colleagues in cybersecurity and privacy recognize how important it is to communicate directly and regularly with people, and use their own experiences and ideas to liven up their presentations throughout the year.
If you ever need a guest speaker, you know who to call.