Security Behavior Change

How to Take a Different Approach to Security Awareness Month

Masha Sedova

Published on 6 August 2018

National Cyber Security Awareness Month (NCSAM) is right around the corner, and every year I find myself thinking of ways to maximize the unique opportunity this month brings. The momentum behind NCSAM provides support for engagement programs that might otherwise be hard to come by. This support can come in the form of resources, executive buy-in, or employee mind-share.

However, to maximize this golden window, security teams must crack the nut of scalability. How do you reach your employees in an engaging, high-touch way when they are located across time zones? For example, smaller offices will only ever get screencasts of an impressive lecturer without the excitement of attending in-person. To date, I’ve participated in dozens of NCSAM training events and the two biggest downfalls, in my experience, are:

  • They don’t scale well across offices
  • They can be really time intensive to roll out

Working at Salesforce prior to founding Elevate Security, we had offices in sixty countries, and at such scale, it was pretty impossible to effectively roll out security events globally. Because our security team couldn’t be in all of the offices, it was hard to deliver great and consistent security experiences and get employees excited and engaged in the process. Remote offices often got the short end of the stick and this didn’t make our team look good nor make our company any more secure.

Achieve Visibility Across Offices

Chances are, you’re facing many of these issues too, so as you look ahead to NCSAM in October, I’d like to offer a different approach for you to consider that provides more visibility for your security team, higher attendance rates to boost your metrics, and measurable increases in awareness.

In designing Elevate’s product roadmap, the first thing we wanted to deliver was a solution to the above situation. How could we get every employee engaged in the security conversation at a personal level withouthaving a dedicated security professional in the room? That’s exactly why we built Hacker’s Mind, so that everyone can experience the exact same engaging experience, no matter if you’re in San Francisco or Hong Kong. Because security professionals aren’t required to run the game, security “champions” can be delegated across offices to run the game with their teams, but Hacker’s Mind does all the heavy lifting. See how it works.

Hacker’s Mind gave our security champions visibility and positioned them as experts. After the game, employees were taking their names, contact information, and asking if they can reach out if they have questions. – Aika Sengirbay, Sr. Information Security Program Lead, Autodesk

A Use Case

As an example of how this can done, Autodesk set up security “happy hours.” With minimal onboarding, security champions were able to facilitate an interactive roundtable experience, where players learned about real-life attacks that could happen to the company and experience in a simulated fashion how these attacks unfold. Then, they devised their own attacks and team members voted on which person devised the best attack. It’s competition at its best!

Several employees came back the next day to play Hacker’s Mind again because they lost the first time and wanted to win! I’ve never seen employees come back to go through training again. –Aika Sengirbay, Sr. Information Security Program Lead, Autodesk

A group of employees playing Hacker's Mind
A group of employees playing Hacker’s Mind

Not only does this give employees a better experience that they’ll appreciate and remember, it also makes you look good in the process!

Meet Metrics Goals with Ease

By delivering a highly engaging, scalable training, more people will be able to access training and they’ll also be more likely to finish it. Not only can this help meet attendance rates for training, but with a more interactive, experiential training, real behavior change will take place, resulting in the company becoming more secure.

Hacker’s Mind, for example, shows you exact completion rates, and the results are easily shareable so you can quickly demonstrate the value of your security awareness program.

Screenshots of sample reports and metrics from a Hacker’s Mind campaign
Sample reports and metrics from a Hacker’s Mind campaign

Do Something Different This October

The holy grail of security awareness training is an experience that employees truly enjoy and that makes you look good in the process. This October, I challenge you to give your employees the best experience yet by immersing them in security with a new take on awareness training — Hacker’s Mind. Employees will love it, it’s easy to roll out (employees can self-run it), it makes you look good, and your company will become measurably more secure as a result.