Five Best Practices at the Heart of Starting a Successful Security Awareness Campaign
October is finally here! The leaves are changing, the temperature is dropping, and, most notably, at least for me, it’s National Cybersecurity Awareness Month.
As OpenGov’s Director of Education, Policy, and Communications for our Global Security Team, the month of October is my Super Bowl. After 12 years managing security communications strategy and raising awareness, you’d think my excitement would’ve subsided, but, truth be told, I’m giddier this year than ever because it feels like cybersecurity awareness has become more prevalent for organizations of all kinds, including OpenGov and the local governments we serve.
Increasingly, local governments are taking proactive measures to reduce the threat of cyber attacks on their governments. They recognize that the risk is real. In 2019, 113 local and state government agencies were hit by ransomware attacks, disrupting their service and operations and resulting in a massive loss of critical data. Many have taken steps to move to the cloud and improve security as they strive to make data more available, but they may be missing a critical piece: effectively communicating security best practices to their own people.
Local governments have adopted cloud technology, they have adapted processes, and yet they still struggle to ensure staff across departments are informed and risk aware. Communicating the importance of cybersecurity and implementing a security awareness program is a critical first step toward securing your organization. I’m thrilled to share my best practices to help you successfully communicate your security expectations and goals.
When I started working in security awareness, I worked on the federal level with the Transportation Security Agency (TSA). I loved aligning security with the agency’s mission by creating plans and brainstorming creative ways to gain buy-in from employees. I even manned a security information station with pride. I handed out pamphlets and candy reminding everyone to get their compliance training done by the end of the month. People smiled, training seemingly got done. I felt accomplished!
Imagine my surprise when I tried a similar approach at a tech company a couple of years later only to find that the security information station and candy model didn’t resonate at all. I knew the content I was sharing was important, so why weren’t people interested?
I had to step back and realize that although I knew a lot about the learning objectives and messages I was trying to convey, I needed to take the time to learn about my new organization, find an executive to help champion my ideas, define what a successful campaign at this organization meant, and learn about the motivations and behaviors of my colleagues.
It’s been a decade since I realized my mistakes, and I’ve spent that time in the public and private sectors passionately focused on keeping people safe and secure — from my kids at the dinner table to supporting global organizations.
I’ve experienced many different organizations and periods of change. When I arrived at OpenGov, I was prepared – playbook in hand. Though organizations may be different, there are five best practices I’ve found to be at the heart of starting a successful security awareness campaign:
- You need a champion at the executive level. You need an advocate. Not just for signing off on purchasing a new phishing tool, but for evangelizing security awareness before a breach. If security can become everyone’s problem, it should also be everyone’s responsibility, and you need someone at the top to establish security awareness as a priority within the organization.
- You need to listen. My biggest mistake when I switched organizations for the first time was assuming that what I did at my last company would work for the next. The unique and special nuances within each organization are what unifies and empowers employees. Tap into those, align — don’t collide — with the core values and you will avoid climbing up the down escalator every time you want to raise awareness.
- Have a clear definition of success. This is my first October with OpenGov, and I’ve clearly defined my success metrics for this month: and they’re all centered around ransomware. Although “engagement” at my security information station seemed high, at the end of the month all those years ago, I didn’t have any data to show if I had moved the needle. Whether it’s revamping processes, updating your security training, increasing participation in a new gamification effort, or writing content, set measurable and achievable goals and drive toward them. Anecdotes are fun, but data is actionable.
- Build trust. At OpenGov, we live by a code of accountability. You will often hear, “We do what we say we will do,” in our internal presentations. It’s one of our core values. I’ve adopted it into my program and strive to do this in every engagement I have with my colleagues. We are transparent in our policies and explain the “why” behind our decision-making. If you want people to listen and learn about security, you need to ensure you are a consistent, trusted source.
- Celebrate success. My colleagues are busy. Their list of day-to-day deliverables will likely not include “report a phishing email.” Want to inspire that behavior? Celebrate them when they do, and reinforce those behaviors you’ve been preaching about all year. We do shout-outs on all-staff meetings and call out people who have helped keep our organization secure. How do you celebrate?
To learn more about National Cybersecurity Awareness Month, CLICK HERE.
To explore the security and reliability of OpenGov’s ERP Cloud and how we keep our customers’ data safe, CLICK HERE.
Category: OpenGov Updates