7 Things We Learned from Our Live Training and Awareness Chat Sessions
Our series of three live chat sessions for training and awareness managers was a bit of an experiment, and it worked! Here’s what we learned.
This article has been updated to include more things we learned from additional therapy sessions held after the original publish date of April 22. Enjoy!
Need to vent about the world right now?
That was the original inspiration for our live chat Group Therapy Sessions for Training and Awareness Managers.
With coronavirus forcing limits to the human contact we all crave, we wanted to connect with colleagues and just talk.
Talk about how our jobs have changed.
Talk about ideas we’ve had.
Talk about how much the current situation sucks.
Well, we did it, and it was pretty cool!
The More You Know
We did six sessions over six weeks. The turnouts were modest, but that was a good thing because the conversations were beyond meaningful. Here are just few examples of what we discussed:
- New ideas for security awareness communications in these strange times
- Career advice
- Navigating office politics while we’re all remote
- Planning for National Cyber Security Awareness Month already
We were never at a loss for words. (But then if you know training and awareness folks, we’re usually pretty chatty.)
Being in the training and awareness world ourselves, we couldn’t not take some lessons out of this little experiment. That’s our job, right?
With much thanks to the therapy session attendees (who will remain nameless), here are some takeaways.
Avoiding Information Overload
Training and awareness managers can fall prey to communicating too much, and about too many different topics at once. This can leave users scratching their heads about what’s most important when the answer is usually “It’s all important!”
Phishing is by far still the biggest threat out there, but others in our sessions told us about the need to cover many more cybersecurity topics as their people continue to work from home. How can we fit it all in?
Our advice is to take it one topic at a time. Not every newsletter you send has to touch on every threat every time. Eyes will glaze over. People will stop reading and move on.
Instead, try a laser-focus on one topic for each communication. What is the biggest risk you’re trying to affect? And how can you measure it?
If it’s password manager adoption, focus on JUST THAT until you start to see the needle move. Do more of what’s working and less of what’s not to get results. If you focus, you just might find that your employees do, too.
As long as we’re on the topic of password managers…
Password Managers: Yea or Nay?
This has been a popular topic in our group therapy sessions.
All agreed that using a password manager is one of the best security behaviors you can encourage. We agree!
The issue wasn’t their usefulness but more us getting out of our own way in the IT and security world. First, some organizations haven’t settled on one password manager for company use, nor do they allow the use of a personal account for company credentials. Second, the frequently-changing advice on what makes a secure password has spurred internal politics and back-and-forth bickering preventing organization-wide password management practices from being put in place.
Though a bit off-topic, this discussion made me think about the dangers of getting too far into the weeds with training and awareness. Security folks talk minutia and details for a living because they need to. But users are done a disservice when too much detail is worked into training content.
Passwords are a perfect example. The best advice can just about be boiled down into two sentences:
- Use a complex phrase or sentence
- Use a password manager to help keep you from repeating passwords
That’s it. Debates on special characters, dictionary words, and technical details of the various password managers only serve the bad guys.
It Pays to be Creative
The creativity of those who attended the sessions didn’t disappoint. So many ideas!
One attendee told us about the virtual scavenger hunt he organized for his staff on their employee resource center portal. He used clues and new educational resources to get people hunting through the employee security portal, which sounded like a great way for people to get familiar with where to find info about security and what lives where on the resource center.
Another attendee shared her emerging plans for ways to include her coworkers’ children in her cybersecurity education plans. She envisioned a “Bring Your Child to Work Day,” since home offices are doubling as daycare centers for so many working parents. Her team produced a variety of child-friendly resources to help their employees keep their children engaged during the workday.
Both ideas were met with rave reviews from inside the attendees’ organizations. The lesson for us here is try the unique. People often engage with stuff that’s novel, and in the case of the content for kids, super helpful.
Get weird. Get funny. Make word searches with cybersecurity terms. If not now, when?
What Do Shirtless Men Have to Do with Security Awareness?
MediaPRO Chief Strategist Lisa Plaggemier discusses what training and awareness managers can learn from the field of marketing to improve their programs.Watch Now
Mixed Feelings on Coronavirus Phishing
One of the topics that’s been lighting up LinkedIn lately is using coronavirus-themed simulated phishing emails in training and awareness efforts. We’ve expressed our own thoughts here, but we wanted to take the temperature of others in the field.
The feedback ranged from absolute yes’s to absolutely no’s with some in between. The “yes” camp made points we’ve heard in the broader training and awareness world: the bad guys are doing it, so we need to prepare our people. The “no” camp maintained that employees are stressed enough without having to expect traps in the guise of training from their own companies.
No matter the viewpoint, we were pleased to see the seriousness and thought each attendee put into this topic.
Training and awareness managers know how to “read the room” of their company culture to decide what type and how much simulated phishing is appropriate in this climate. Everyone’s goal was behavior change, not simply to trick the “stupid user” into clicking an intricately devised simulated phishing email (overall, the “stupid user” mindset was taboo for all our attendees).
Video is Worth a Million Words
Many attendees touted the success they’re having with short videos reinforcing key points. Either “homemade” or provided by a training and awareness vendor, videos were a popular part of many managers’ arsenals.
We can’t pretend this is news. Facebook and Twitter aren’t flooded with millions of hours of video for no reason (even if it’s mostly cats). But the age of quarantine has made video even more important for getting your message across.
The lesson here: We’re all likely inches away from our own video recording studios. Recorded solo Zoom meetings make the perfect platform for creating 1-2 minute reminder videos about important security topics when working from home.
And those custom virtual backgrounds are good for more than pretending you’re in Bora Bora. Try creating simple graphics (using a mostly free tool like Canva) to help illustrate your points. Pretend you’re a TV weather presenter!
Don’t necessarily let the “low-budget” perception of this approach scare you away. If online sing-a-longs and pass-the-pet videos can go viral, there’s no reason a quirky video on keeping your home office secure can’t, too.
People Need People
We’ll be simple here: It was nice to talk face to face with colleagues.
We set up the chats so everyone could turn on their webcams if they wanted. Tom Pendergast and I were on screen the whole time so attendees could put faces to voices.
Toward the end of each hour-long session, attendees more often than not simply said “Thanks for just letting us talk with people face-to-face.” That really struck a chord with us.
Working from home can be lonely, so we were pleased and honored to provide an opportunity for human interaction.
That’s also a lesson for training and awareness: don’t forget to be “human” in your program, now more than ever. Be transparent, be real, strive for genuine connections with your employees in your awareness program.
We’ve All Been There
Our sessions could have been sponsored by the letter C; for commiserate. But I’d like to suggest that C also stands for community.
There’s nothing quite like being heard by someone in your exact pair of shoes. Even if it’s just a simple nod or “Mhm-hmm” of agreement, knowing that someone else is going through the same challenges you are is priceless.
We’re all trying to keep from going crazy right now. The lesson here has less to do with training and awareness and more to do with being part a larger community that’s all going through the same thing.
Reach out to your colleagues on a regular basis. Text. Slack. LinkedIn. Whatever channels you have available in your company. Be accessible.
Now more than ever, people want human connections. Security professionals in general can suffer from a reputation of being, at worst, kinda grumpy or socially awkward.
I once worked for a CSO who gave me the task of “humanizing” the security department to the rest of the company. Letting them get to know us as people so they’d feel more comfortable engaging with us. We used “employee spotlights” featuring different members of the security team, so people could get to know us.
Messaging campaigns that highlight transparency and human connection are being well-received in the current environment, so you might want to take advantage of the mood and open the curtain on the security team. We’re people too!
More to Come
With all this said, we’re working on a way to keep these chat sessions around long term, beyond the coronavirus situation. Stay tuned!