Why You Should Strive for Engagement, Not Just Awareness
When was the last time something really engaged you?
I’m not talking about something that entertained you (like the Netflix series you just finished) or amused you or shocked you.
I’m instead talking about something that drew you in and held your attention, that really piqued your curiosity, and maybe even prompted you to change your behavior.
I had just such an experience recently and it got me thinking about how we need to deepen our understanding of what we’re trying to accomplish when we run a security training and awareness program (or a privacy training and awareness program). But first, let me tell you a little story about my own experience with engagement.
There Are Three Kinds of Birds in This World…
I come from a long line of “bird nerds.”
My grandparents, my favorite uncle, and my mom are all thrilled by birdwatching (or “birding” as the cool kids call it).
But I’ve always been a skeptic. Birding always seemed like a bad excuse to slow down a walk.
I scoffed at their birding fascination. I took the somewhat cynical approach of my friend’s grandma:
“There are only three kinds of birds in this world: cool birds, like eagles and woodpeckers; water birds, like ducks and loons; and the rest are all little brown dicky birds.”
You see, I was aware that there were all kinds of birds in the world, but I sure as hell wasn’t engaged by that fact.
That is, until just the other day.
Bit by the Birding Bug
Early on in this damned pandemic, when the lack of human connection still felt fresh and raw and painful (as opposed to now, when it’s just painful), my colleague Jeremy Schwartz did a “lunch and learn” Zoom presentation on birding. I signed up. Truth is, I was eager to interact with people (other than my wife) about anything other than work.
To my great surprise, I found myself enthralled.
Jeremy described the behavior of five local birds, birds that I had seen but couldn’t identify myself. After work that day, I sat on my back porch with my wife and I watched one of the birds he described flit through a nearby tree. For the first time, I wished I had binoculars. I think right there, I was hooked.
The next day, I went for a walk down by a local wetland beyond our water treatment plant and suddenly realized that the marsh was ALIVE with birds.
Swallows swooped around, catching insects.
A pair of bald eagles sat atop a dead tree.
A giant heron flew by in the distance.
And that persistent “whitchety-whitchety-whitchety” call? It was a Common Yellowthroat, now one of my favorite birds (and depicted above in a stock photo).
The world suddenly felt like a giant “Where’s Waldo” picture. In a few short weeks, I went from vocally skeptical to hooked. When it comes to birding, I was ENGAGED.
Engaging Your Employees
I joked with Jeremy the other day that I hoped he was a paid recruiter for Big Birding, because he deserved a recruiting bonus for finally moving me into the ranks of birders.
But guess what: if you are involved in security awareness or privacy awareness, you are, in fact, a paid recruiter for Big Awareness.* You’re trying to recruit your whole darned company to join you in your nerdy enthusiasm for protecting data, yours and your company’s.
The funny thing is, while we use the label “Security Awareness” in our profession, what we’re after isn’t really awareness among our employees. They are all aware they need to use better passwords and avoid phishing attempts.
But they don’t all consistently act on what they know, because they’re not all that motivated. That’s because they haven’t been engaged by cybersecurity yet.
What we’re really after, I’d argue, is engagement. We want people to care enough about cybersecurity and privacy best practices to put what they know into action.
We want people to choose the password manager that’s right for them.
We want them to help their mom and their kids learn how to be safer online.
If that’s what we want, then it’s time we start approaching the ways we communicate with people differently.
If we really care about engagement, we wouldn’t dream of boring people with long, tedious security training. And we’d never try to scare people with threats about what could happen if they clicked a phishing email.
What Engages You?
As you think about how to make your security awareness program a real “security engagement” program, I’d like to ask you to think a bit about what has engaged you recently. What was it that got you interested? What drew you deeper? What triggered you to take an action?
For me, it was recognizing there was a whole world out there that I just wasn’t paying attention to: the world of birds. It just took the right trigger for me to learn how to see it.
That same world is out there for security and privacy—and it’s our job to entice people to pay attention to it. It’s our job to ENGAGE people in the fascination of it all. Because when we engage them, we’ll start to see action.
In my next blog post on this topic, I’ll look at how other business areas—like marketing, HR, and brand management—have defined the term “engagement” and look at some of the tricks we can borrow from them to engage employees in improving their security and privacy practices.
*Don’t get me started on how much I hate the word “awareness.” Awareness is the absolute minimum thing that we want to promote!