Securing engagement — Internal communications strategies to promote a culture of security
Integrating security awareness into the culture of an organization depends entirely on the behavior of employees. Workplace culture is defined by the collective habits, beliefs, and interactions between the professionals working within it. Security teams can leverage this culture to build a more secure enterprise through an effective internal communication strategy.
Frequently, the security teams' effort to promote internal awareness of its services is an afterthought, with the lions share of attention and resources given to tools and processes, respectively.
While these are important, the human factor must not be ignored. What follows is an argument in favor of developing and implementing an internal security awareness communication strategy to engage the broader workplace community and address the most frequent point of failure — human error.
Challenges with shifting toward a security culture
When attempting to shift that culture to a more desirable state, in this case, focused on security awareness, communication should be the primary focus.
This can be challenging; factors like workforce size, expertise, visible milestones, and the degree of departure from the status quo can impact the outcome. Shifting toward security can be particularly difficult due to the lack of payoff.
How can you communicate your message effectively?
Internal communication is propaganda.
For instance, Canadian financial institutions are notoriously conservative and risk-averse. Within the security and risk organizations, the phrase “Protect the bank” is the mantra.
It is frequently used without qualification to justify risk mitigation activities; from implementing a due diligence process to requiring additional information to complete a transaction. One can imagine this phrase as being quite old; a cultural by-product of countless interactions between generations of bankers who acted to secure capital in uncertain times.
That's why it's important to communicate effectively if you want everyone to understand security.
And always remember, adoption varies from person to person. The progress of adoption can be visualized as a product adoption curve (see below), and a good strategy will facilitate positive reinforcement.
Tweak messaging as per your audience
A workforce is not a monolith.
To address diversity, effective communication strategies need to consider segmenting stakeholders into groups so that they might be targeted with specialized messaging.
For instance, a technical specialist might find the “how” of security activities more engaging, while their manager is more likely to be interested in the “why,” as well as how security serves the overall mission of their organization. Traits like job function, line-of-business, language, age, geography, and commitment type are all useful grouping criteria.
Consider age, a hot topic when it concerns the youngest, most tech-savvy cohort to enter the workforce of late. These “Digital Natives” consume less traditional media than previous generations, preferring new mediums like online video, discussion forums, and social media.
It's worth keeping in mind that, the more you segment your audiences, the greater the demands on content generation. It is important to strike the right balance between a target audiences' impact on your operations, and the resources you are willing to spend reaching them.
Deliver the message in a language they’ll understand.
Please see below the framework for an internal communication strategy.
The cells within the matrix below are to be filled with the names of the initiative intended for a given audience.
How to handle the escalation of messaging: everyone starts with the pragmatist column and adjustments are made based on engagement.
Strategy starts out strong but tapers off as adoption grows.
Carefully choose your communication channel
A channel describes repeatable touchpoints delivered via a single medium.
Each organization has a set of communication mediums available to it; phone, email, or social media for example. Security teams should leverage these tools to establish channels of communication with their desired audience. Keep in mind that each audience is going to have its preference.
When planning touchpoints, it will be important to consider how the message will be delivered since the medium will have an impact on message quality, shelf-life, and urgency.
Some channels travel in one direction, while others are bi-directional. Social media providers like Slack, Facebook, and Stack Overflow offer internal variants of their services which are gaining in popularity with younger workers. While useful for thoughtful collaboration, it is important to provide for the professional moderation of these forums to avoid abuses like misinformation, confidentiality breaches, and harassment.
Instant messaging is an established medium for text, audio, and video, but it is time-sensitive and doesn’t lend well to prolonged discussion or being archived.
For security teams, a great opportunity for communicating with front-line workers is during a vulnerability review. In our experience, peer-to-peer communication with front-line developers is the channel par excellence for converting security awareness program detractors into promoters. This can be done in-person, and increasingly over instant messaging services with screen sharing. Establish quality lines of communication.
Create effective content to maximize the impact
Generating effective content requires the creators to know their audience. Given their technical focus, security teams should be forgiven if they lack a profound acquaintance with all but their most direct stakeholders.
When generating content, cater to audience motives.
Anticipate their needs and wants; try to align your message to them such that it inspires urgency or reflection. The "Fear of Loss" theme is a staple in security, as is the “Appeal to Authority.” While both are effective, this approach can lead to stale messaging, if overused.
Depending on the audience, consider appealing instead to a stakeholder’s desire for quality, or a state on constancy in one's role.
Style matters as well. The first image or sentence presented (in that order) represents an invitation to learn more and will have a major influence on whether the message gets consumed by the audience. It is important to bear in mind that the time and attention of your consumers is a finite and valuable resource. Strive for quality and keep it consistent with the organizational mission to convey genuineness. Be prepared to adapt over the long-term, as tweaks will be necessary.
Anecdotal stories of events that illustrate the message are appreciated by most everyone, so long as they are appropriate for the context.
Resist the temptation to use business jargon, as the words may not mean much within siloed teams, which often develop their own set of words and phrases distinct from the rest of the organization.
Take content shelf-life into consideration
The timing of messages will depend largely on its shelf-life and the effort required to produce it. Best practice guidelines and playbooks take a lot of effort to create and socialize, but they remain useful for some time and are unlikely to need frequent updates.
In contrast, a monthly newsletter detailing upcoming events will lose relevance as the timelines expire. In-person training, while expensive, can pay dividends by enhancing the skills and efficacy of security champions when they return to their own teams.
Be mindful of shelf-life and avoid over-saturation.
Putting everything together to promote security awareness
It all starts with an overarching mission — what is it that you want your audience to learn and do?
It would be wise to start small and seek to build momentum in organizational familiarity by sticking with successful channels. That said, one shouldn’t be afraid to pivot as the maturity of a communication program advances.
Ultimately, the strategy one decides upon is going to be unique, and the decisions made will depend greatly on available resourcing. Be agile and make the strategy a living document, allowing for the flexibility to add channels over time. Begin with channels that target your mission-critical audiences, and gradually build the capacity to develop and test touchpoints for more specialized purposes. It might be worth bringing a communications person on-board to consult the security team, perhaps even handling the program full-time.
As mentioned earlier, executing a communication strategy for cybersecurity consumes resources, and is likely to depend on executive support to be maintained for a period of time to create lasting change. Hard numbers reflecting results and/or effort should be used to justify these efforts. Metrics can also be used to fine-tune your strategy in-flight, responding to the needs and wants of your various audiences.
Within any audience, there will be some person-to-person variability in their resistance to new ideas and processes. Some will take to security awareness quickly, while others will be skeptical, drag their feet, even discourage adoption in others. It is important to surround yourself with skeptics early on to learn from their concerns and prepare responses to what will otherwise become uncomfortable questions.
Finally, a security culture is bolstered by internal communication narratives. It is important to drive toward the goal of making the entire organization more attentive toward security issues and risk management. Leveraging existing themes in the company vision can further this effort by hitching onto a well-established value that already has cultural momentum.
Learn about our security awareness training modules for developers that can help in building a security culture in your organization.