6 Ideas for Building Engagement Into Your Security Awareness Training
What’s the ultimate goal we’re all looking for from our security training and awareness efforts?
It’s way bigger than “awareness,” the meager, milquetoast word that is used to describe our profession.
Awareness is the very least we should be shooting for. It’s the starting point.
Most of us will describe our broader goals in lofty concepts like “behavior change” or “risk reduction” or even “creating a security-aware culture” or “risk-aware culture.”
Yet these can seem so grand, aspirational, and hard to measure that it may be years before you know if you have achieved them.
There is, however, a guiding principle that you can follow that will lead directly to your loftier goals, and that can be identified and measured along the way.
I’m talking about “engagement,” which is the idea of attracting the kind of attention and interest from your employees that motivates them to adopt security and privacy best practices. It’s the opposite of some of the bad practices in training we know so well, like:
- Bloated, lengthy training
- A punitive, scolding tone
- Tired old graphics and cheesy stock photography
Engagement starts the process of people changing their behavior, reducing your risk profile, and building a security- and privacy-aware culture. With a bit of work and attention on your part, you can build “engagement” into your program and progress toward reaching your goals.
How Awareness Can Become Engagement
Whether you’ve been “doing awareness” for a long time or are just getting started, you probably know that getting employees to adopt security and privacy best practices makes for a more resilient company, and that the practices people learn at work translate directly into how they navigate the digital world in their personal life.
The trick then is to design our training, reinforcement, and other communications to ensure that we engage people’s attention and motivate their actions. We’ll only get so many chances to communicate with employees.
While we as training and awareness managers may have the backing to make training required, that doesn’t excuse us from making training awesome.
After all, engagement isn’t something you can require—you have to earn it. That means thinking very consciously about the way you communicate.
Provide Value Based on Respect and Trust
With engagement as your guiding star, it becomes easier to think about using your training and reinforcement to interact “in ways that provide value to your audience, with the goal of forming genuine relationships based on mutual respect and trust,” to borrow Katy French’s description of how to succeed with engagement marketing.
If you’re looking for a mantra to guide your training and awareness team, “provide value based on respect and trust” is pretty hard to beat.
Here are some practical ways to build engagement into your training and reinforcement:
- Use concise explanations and witty language, to show people you respect their time and intelligence
- Use vivid illustrations and photography, to show people you respect their taste
- Provide interactions that capture the imagination and examples drawn from real life, so people see they can use what they learn in their work and at home
- Keep training as concise as possible, so employees will trust that you’re not wasting their time
- Develop role-based guidance, so people see that you understand their unique responsibilities and can train to them
- Avoid fear-mongering or stereotypes, to prevent people from dismissing you and ignoring your message
When you think of all the different content you’ve seen that doesn’t meet this standard, it becomes really easy to see why so much required training and corporate communications fails to engage employees.
What HR and Marketing Say About Engagement
We can look to our colleagues in Human Resources and in Marketing—two areas of business that also focus directly on people and behavior—to build our understanding of how to make engagement central to our work.
After all, all our disciplines have a set of people who we want win over to our cause, or to the mission of our organization.
Like HR, the people we want to engage are all the employees of the organization.
Like Marketing, we can’t count on these people to be naturally engaged in our topics—we have to convince them these topics are worthwhile.
Let’s look a little closer at how they define and seek “engagement.” There are important lessons there for our work.
HR Engages Employees to Improve Organizational and Individual Success
HR experts agree that if the employees are more committed to the organization—that is to say, if they are “engaged” by their work for the organization—they will be happier, more productive, less prone to error, more focused, and more committed to doing their best work.
Here’s how Gallup puts it: “Engaged employees produce better business outcomes than other employees–across industry, company size and nationality, and in good economic times and bad.”
According to SHRM (the Society for Human Resource Management), engagement is the “strength of the mental and emotional connection employees feel toward their places of work,” and it impacts their “willingness and ability to contribute to company success.” (For more, see TD and CIPD resources.)
That feeling of mental and emotional connection goes by another name—trust.
When employers trust their employees, those employees feel valued and committed; when employees trust their employer, they work to advance its interests. Clearly, HR is seeking to get more engagement from employees because it is better both for the organization and for the employees.
Marketing Engages Prospects to Build a Relationship that Goes Beyond Sales
It’s a similar dynamic with Marketing, only with prospects and clients instead of employees.
Marketers seek to portray a brand image and a voice that aligns with the self-image of prospective buyers. They try to understand the problems of those buyers and then propose solutions to those problems that will be useful. Because they don’t want to come off as too salesy and promotional, they seek to build trust, to share solutions rather than to sell products.
When engagement marketing works well, it feels authentic and trustworthy, and the “targets” of this marketing don’t feel like they are being marketed to at all.* In the end, writes Dan Westmoreland, “engagement marketing is about connecting with people.” (For more on “engagement marketing,” see this from LinkedIn.)
Taken together, these concepts from HR and Marketing should help reaffirm our commitment to using our security training and awareness efforts to provide value to employees based on trust and respect, and to use that to build more resilient cultures.
Engagement Enables You to Reach Your Big Goals
You’ll have a number of practical goals for your security training and awareness program and they may include:
- Ensuring your company complies with regulations or meets industry standards
- Showing improved employee performance in defined areas, such as phishing and incident reporting
- Meeting some basic training completion goals (the bare minimum as far as I’m concerned)
When you start by focusing on engagement, you’ll find every one of these targets is easier to reach.
But the real magic of focusing on engagement is way it helps us reach our loftiest goals.
When you build your training and awareness to engage, you offer your employees an entry into your world—the world of security and privacy—that is intriguing, inviting, and rewarding. Thus engaged, people will naturally seek to explore and learn more.
Engagement is the fertile soil in which people will find the motivation to act, consistently and deliberately. It creates the conditions that make real behavioral and cultural change possible.
*To be both fair and transparent, this essay is an example of engagement marketing. After all, I represent a company that has a product to sell (hell, I was a large part of building that product), but I am not a salesperson. I focus on the shared problems and aspirations that we have, not on selling.