5 Things to Try in Your Training and Awareness Program in 2021
This article was originally published on the RSAConference blog.
Do you know what really kills a security or privacy awareness program?
Boredom erodes employee engagement, as people tune out the same old training or the same old messages year after year. And boredom erodes your own interest in your work, making it a mechanical chore instead of a commitment to building employee resilience at work and at home. Boredom is no good for anybody.
Combat Boredom by Trying Something New
If you find that you’re not getting excited about the new stuff you’re going to do with your employee awareness program in 2021, maybe it’s time to try something new, to make a real departure from the way you’ve done things in the past.
Here are five things you can try to breathe new life into your awareness efforts:
Maybe you’ve been leaning in on the fear a little too much and then wondering why your employees don’t come to you when they aren’t sure what to do. Here’s a clue: They associate you with negativism and punishment! Researchers are finding that while fear may give people a jolt, it doesn’t help build long-term positive behaviors.
But there are alternatives that you can use in place of fear appeals, including promoting optimism, resilience and self-regard. Make a point of converting as many fear-based statements as possible into more positive, supportive statements: turn “Cybercriminals are out to get you” into “You’re in control of your data,” for example, or “Don’t get hacked!” into “Together, we got this.” A positive attitude creates an environment in which it’s easier for people to succeed.
Maybe you’ve been requiring training because you think that’s the only way to get people to take it.
Maybe you’ve had to ramp up the consequences for not completing training over time, so now you find yourself spending hours badgering non-compliant employees and threatening punishment if they don’t take their training. What a drag for all involved!
What would happen if you made all training voluntary? If you didn’t offer enjoyable, worthwhile training, you’d likely see your completion rates fall way off. But making training voluntary provides you with a powerful incentive to make it worth people’s time.
Make Them Laugh
Adding humor to security awareness content seems to be all the rage these days.
But your CISO wants to play it straight. “Cyberattacks are serious business,” he insists. “We can’t have people joking around about serious threats.” And so you keep your training and your other communications somber and matter-of-fact.
People learn things in different ways: some like to read, some like to watch video; some like serious, some like funny. When you mix up your styles and your modes of communications, you open yourself to reaching different people.
Some worry that humor is “too subjective,” that one person’s funny is another person’s offensive. Of course, you’ll need to read your company culture and avoid the truly offensive, but don’t give up the idea that your company will resist the power of humor.
Make a Commitment to Get Shorter in 2021
There is a raft of evidence around the power of brevity. It’s why TED Talks are 18 minutes long, why the average business video is 4.07 minutes long and why marketing giant HubSpot recommends that videos for social media should be between 30 seconds and 2 minutes. While there’s no one right answer, the general principle is: shorter is better.
Why? It fits into the gaps in people’s workdays, so they don’t have to set aside a big chunk of time for it. Shorter content is generally offered in ways that are easier to share—and encouraging the social transmission of cybersecurity skills makes it easier for you to build a cybersecurity culture.
If there’s one thing the past year has taught us, it’s that the line between the cybersecurity skills we need at work and those we need at home is blurry. So if your training and awareness program confines its advice and its examples and (especially) its imagery to the office environment, it’s time for an overhaul.
Start connecting business and personal cybersecurity skills so that your employees will find your material relevant and meaningful.
Whatever You Do, Do Something New
The best thing you can do for yourself and your employees is to try something new in your awareness program in 2021.
The new things that you bring to your program will help capture employee attention with their novelty, and if you do it right, they’ll find your message more engaging and relevant than ever before.