I am thrilled to announce that we have updated one of the first pieces of research I published when I joined Forrester in 2018: what we then called “Harden Your Human Firewall.” This is now replaced with these three reports (available to Forrester clients only): Influence And Engage Executives, Influence And Engage Technology And Business Functions, and Influence And Engage Employees.
Building a strong security culture is no easy task. It requires strategy, vision, people, and the right attitude to change behavior and set a cultural shift in motion. To do this, you will need to invest in activities that will influence and engage your stakeholders, many of whom are probably sick and tired from hearing about security in the press, through the lengthy security training programs they are subjected to, in audit findings or board reports, or even as consumers. Your activities will need to be creative and impactful to resonate with the fatigued audience and motivate them to behave securely.
Instead of constantly trying to come up with creative ideas, learn from the experiences of others in our three reports, which showcase how security leaders around the world have engaged and influenced three distinct stakeholder groups:
- Board members and executives, whose advocacy is crucial for security’s funding, success, and setting the tone from the top. To win them over, security leaders have placed senior executives in the spotlight to analyze their personal cybersafety profiles, provided executives with “white glove” cybersecurity, and built FAQ documents to outline the types of questions that boards should ask CISOs, helping all parties be more aligned.
- Business and technology functions, whose buy-in is essential to ensure security’s involvement at the business or project level. To get their buy-in, security leaders have offered engaging and personalized training to bring these constituents to the table and listen, learn, and share knowledge. They’ve used a variety of puzzles, word searches, and word jumbles to challenge and engage. They also incorporated “capture the flag” challenges and brought in industry speakers to provide reality to security threats.
- Employees, who are an essential part of any security strategy. Activities used by security leaders to influence user behavior change include employee virtual scavenger hunts, employee testimonials of real-life personal cyberincident stories, and security Wordles.
By all means, continue on your quest to win the hearts and minds of your stakeholders using this creative content and experience-driven awareness, but proceed with some caution. Security leaders need to:
- Remember that content and experience-driven awareness are one tool in your toolkit. At Forrester, we have spent the last couple of years warning against the status-quo focus to provide “better” content as the sole way to impact behavior change and instill a security culture. Naturally, I therefore hesitated to undertake this awareness-focused project. So why did I do it? For two reasons:
- While, eventually, human risk management and adaptive human protection will reduce the need for security to overengage with various stakeholders, until then, you will still need security awareness activities. They remain necessary to build critical thinking, change behavior, and instill a culture of security.
- Our clients are constantly looking for new ways to capture the imagination of security-fatigued senior executives and tech and business teams, as well as employees. And when our clients repeatedly ask us about something, we cover it.
- Retire the “human firewall” terminology from your vocab. We are retiring the term “human firewall” from our research and hoping that you will retire it from your vocabulary. This research is now under the umbrella project of “engage and influence.” Why did we make the change? For one, firewalls appeal only to security folk — the first-ever security presentation I delivered in 1999 proudly sported many images of firewalls, which were then a revelation to me as a new grad. Dear readers, it is no longer 1999, and our target audience is not security folks. Additionally, we need to employ engaging, inclusive images and language. People aren’t perceptive to behavioral change if they don’t see themselves in the content, and firewalls don’t create a connection for most people.