How to make your employees more security savvy

William Candrick, Director Analyst, Gartner

Cybercriminals have become experts at social engineering, using increasingly sophisticated techniques to trick employees into clicking on malicious links. It’s up to security leaders to provide employees with the information and know-how to better defend against these attacks.

You can turn your employees into cybersecurity advocates, but only if your security awareness programs actually work. Bolster your initiatives with these three actions.

You need to turn employees into controls that detect and resist social engineering attacks, but security and risk leaders often fail to deliver a security awareness program that produces meaningful changes in employee behavior.

#1 Set the vision

Start by establishing a vision statement that lays out the security behaviors desired and required to enable the organisation to achieve its strategic objectives.

Start by establishing a vision statement that lays out the security behaviors desired.

Do this with a cross-functional working group comprising representatives from across the organisation, including core lines of business and support functions. Secure approval from senior management.

The cross-functional team must develop a statement that embodies the end-state or the aspiration for the security awareness program and should resonate across the organisation, providing a tangible lodestar for employees to follow.

The cross-functional team must develop a statement that embodies the end-state or the aspiration for the security awareness program.

Articulate which signature behaviors would be on display if the organisation achieved its desired security awareness end-state. Signature behaviors are those that clearly reflect positive intent and support by end users for realising the security awareness vision.

Articulate which signature behaviors would be on display if the organisation achieved its desired security awareness end-state.

#2  Define tangible, measurable desired behaviors

The core value proposition of any enterprise security awareness program should be to shape employee behavior so that it reduces the likelihood and or impact of security incidents. Gartner advocates outcome-driven metrics to indicate an operational and benefit outcome aligned to the behavioral statements in the vision.

Mandatory completion rates and knowledge check outcome metrics come via standard reports available in the majority of security awareness computer-based training platforms. These are useful measures of how many of your end users are completing the security awareness training and how easy it is to understand.

It’s useful information but does not indicate an effective security awareness program that reduces risk or delivers other tangential business benefits. ODMs measure outcomes that can be tied back to measurable protection benefits.

#3  Link behaviors to measurable benefits

Once the ODMs have been collated, link those insights to the business drivers that senior leadership really cares about. Start by measuring root causes of human-generated cyber risks that will deliver benefits if improved — for example, the number of cybersecurity incidents caused by data misuse or human error. Such metrics should improve over time if your awareness program is working effectively.

Then link those benefits outcomes to business drivers and benefits — which will relate at most organisations to revenue, growth, cost management, risk management and brand reputation.

William Candrick, Director Analyst, Gartner
William Candrick, Director Analyst, Gartner.

The core of any enterprise security awareness program should be to shape employee behavior so that it reduces the likelihood of security incidents.