I have a love/hate relationship with October’s Cybersecurity Awareness Month. I think it’s fantastic that for a whole month security gets the microphone. I’ve seen security teams do fun things with that spotlight: hosting speakers, driving scavenger hunts, and running bug bashes. But when the dust has settled at the end of the month, I can’t help but wonder what’s in store for us for the remaining 11 months of the year.
As the saying goes, security has no finish line. So when I see programs push 90% of their efforts into October, I can’t help but wonder about how resilient our workforce will be in 3, 6, or 9 months from now when we don’t have a giant megaphone and the workforce’s attention.
The fundamental problem with Cybersecurity Awareness Month is that its key metrics are engagement and participation instead of risk reduction. Ultimately, security awareness is a function of a security team and its metrics should be oriented toward risk. They should more closely resemble the metrics of the vulnerability management team than a movie-production studio.
How to Leverage Cybersecurity Awareness Month to Enact Lasting Change All Year Long
I’d like to argue that there is a far better way of using the spotlight that security teams have in October—one that actually reduces risk while creating a positive security culture. Here it is:
- Create an ongoing measurement of employees and their risk level. Do this by measuring what employees do on a regular basis, not just what they know.
- Communicate each individual’s risk to them regularly (weekly or monthly) and give them guidance on how they can get better.
- Use October to celebrate your champions. Give recognition to the most improved, the most secure departments, the employees that saved your bacon by reporting, etc. Model for the company what great behavior looks like, establish a culture of positive security, and reward those who have achieved it. Praise in public, correct in private.
It’s time to focus your security team’s resources on ongoing employee behavior measurement and communication instead of paying for expensive celebrity speakers and games. This will return dividends in the form of risk-reduction and quantifiable risk-based metrics in a way that the current entertainment-focused approaches simply cannot. Elevate Security can help. Get in touch with us to learn how we can help strengthen your cybersecurity year-round.