Security Awareness Month: Three Tips Security Teams Can Use to Improve Employee Engagement
LogicGate | October 21, 2019
At LogicGate, we take National Cybersecurity Awareness Month pretty seriously. Now that we’re a couple weeks in, our Information Security lead, Heath Anderson, has put together a few tips security teams can use to help their coworkers be more security-aware. These are takeaways security teams can use not just this month, but throughout the year.
Heath, take it away:
1. Push your security tools as close to the end user as possible
One of the biggest changes to organizations in the last few years is the push into ChatOps. Platforms such as Slack and Microsoft Teams have changed the way organizations communicate—promising rapid-fire engagement and rewriting the expectations of end users across all tools. This has been a boon for Security teams as well, allowing them to establish communication channels during incident response and communicate more informally with the entire organization.
However, this change also means that users increasingly rely on Slack or Teams instead of email for their daily communication. Security reporting must adapt to ChatOps as well, and teams should prioritize creating channels to report in Slack or Teams in addition to more traditional methods such as email and direct ticketing forms.
An example is using Slack’s new Workflow Builder to allow users to report incidents via Slack and then connecting the output of that to your incident management process. This can increase engagement and ensure that incidents are not being missed because users change how they normally communicate.
2. Automate your feedback mechanism to increase transparency
Across many organizations, incidents are treated very rigidly. This is for good reason: the treatment of incidents influences key metrics and teams want to ensure they are not missing security signals through the noise of false positives. Additionally, if there is not a standard formal process, we risk mishandling important steps in the process.
However, this degree of formality and rigor can easily overshadow the end user’s perspective. Look at it from his or her direct experience:they submit an incident, receive confirmation that it is being handled, occasionally get an email asking for more clarification, and then find out it has been closed. The end-user in this situation leaves the process feeling slightly probed and not sure if they helped in any way.
To help emphasize the information source—in this case, the end user—the process could easily be improved with a few personal touches. For example, when tickets change state from assessment to remediation, it can trigger personalized feedback to the end-user. Ever used the Domino’s pizza tracker, which allows you to follow your pizza step-by-step from order to delivery? A similar process could be instituted for security risks: try to be Domino’s pizza tracker, not the traditional pizza delivery that just appears at your door once it's done.
3. Game-ify scenarios, and create situations for end users to use their skills
Company-sponsored phishing campaigns are the bellwether for great change in security training. Getting users to flex their security-awareness skills in safe scenarios leads to better overall security. The biggest question for security teams should be, where else can we do this?
Free services such as Targeted Attack by TrendMicro and Cybersecurity Lab by PBS’s Nova Labs offer great starting resources. Both introduce scenarios and gamification for other teams to utilize, which can serve as an entry point or as part of a larger game effort.
At LogicGate, we leverage these free services as part of a larger company-wide competition for Security Awareness Month. We split our company into teams and host ongoing security challenges that allow the teams to earn points for performing various actions (such as engaging with security tools). While we can’t go into too much detail (our end users might be reading for hints!), this serves as an opportunity to develop good security habits.
As they say, it takes 30 days to develop a habit!
Increasing employee engagement with security initiatives sometimes requires the Security team to view end users as customers of their product. If people aren’t buying, it isn’t being marketed correctly
Take this Security Awareness Month as an opportunity to evaluate how you are selling security to your organization. See if you can increase engagement by pushing it to where people work (ChatOps), making them feel good about using it (increased feedback), and getting people excited about security (gamification).
Now that you have heard our perspective, let us know where you have been successful increasing engagement within your organization—what has worked and what hasn’t.
For more on security awareness, check out LogicGate's eBook: Building a Cyber-Savvy Culture: A Guide to Unlocking the Power of IT Security as a Business Enabler.