We consistently get inquiries from clients asking us about the trends and effective ways to create cybersecurity awareness within their organization. This field has grown so much in recent years. There are now so many fantastic tactics that organizations have tried and tested; we can all learn from them. You should never have to resort to one-off, perfunctory, computer-based training — instructional learning does not work. Our latest research provides a solid and inspiring set of awareness and engagement tactics. These tactics span boards, executives, lines of business, and end users. They also address issues of building a security culture in the extended ecosystem (e.g., with customers).

When we kicked off writing “Harden Your Human Firewall: Engagement And Communication Tactics That Strengthen Security Culture,” we wanted to provide a solid and inspiring set of awareness and engagement tactics. Our hope was that everyone could use these tactics to get inspiration, regardless of the stage of maturity they’re in. What I learned is that this research is not static, as this is a rapidly evolving field. We will be updating this report over the next 12 months, with your help, of course.

There are many organizations that are just starting out on the journey of creating a security awareness program. They often don’t know where to start. Conversely, there are some security teams that embraced this exercise many years ago and have done truly outstanding campaigns. Their challenge is different: They feel like they’ve done everything already and are looking for inspiration. This research aims to help both. The report breaks down the tactics to target four distinct human firewall communities:

  • Combine innovative engagement with pragmatism to win executives’ hearts and minds. Tactics that use experiential learning and gamification with senior executives have proven to really engage and increase understanding.
  • Make security relevant and top of mind for tech and business functions. There are many tactics by which to engage the extended enterprise that may not care or, even worse, be frustrated by security. Some of these use gamification, while others are more serious.
  • Reach end users in familiar and compelling ways. Awareness teams have come up with a huge body of creative work activities targeting end users. This includes escape rooms, games of Monopoly, and books of short stories. There is so much for us all to learn here.
  • Extend your reach by building trust with external stakeholders. It’s so interesting to me how so many organizations (banks, primarily) are working to educate their business and consumer customers on cybersecurity. This really serves to recognize that security is an extended ecosystem and that the human firewall has to go wide and deep.

All in all, I got so much inspiration writing this research from all those whom I spoke to. My hope is that you do, too.