Security awareness

5 Best Practices to Harden Your Human Firewall

Tyler Schultz
November 8, 2018 by
Tyler Schultz

It’s tempting to picture a perfect security program that ensures your workforce never clicks on a suspicious link or downloads a malicious attachment, but it’s important to remember that security awareness is not an all-or-nothing effort. When building your human firewall through security awareness training, incremental gains are important. Following a few best practices can help you stack your incremental gains and strengthen your human firewall.

We were delighted to speak with featured guest, Forrester senior analyst Nick Hayes about best practices to help build an engaging security awareness program that turns your employees into a proactive component of your security strategy. Here is what we learned.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

1. Beyond Awareness, Inspire Action

Don’t just aspire for security awareness. Inspire the behavioral change required to keep your organization safe from security threats.

Inspiring and driving behavioral change requires both ability and motivation from your workforce. As a security practitioner, it is your responsibility to provide the tools and training that enable your workforce to identify and avoid security threats. While ability is the first step towards behavioral change, your workforce must be motivated to turn security best practices into routine action. Even simple gestures such as sharing what interests you about security, incentivizing the right behaviors and celebrating moderate gains can motivate your workforce and inspire behavioral change.

2. Deliver the Right Message the Right Way

What is the right message, when should you send it and through what channels?

Message delivery can be the difference between a successful security awareness campaign and one that fails to engage your workforce. You can’t expect that every email, notification or training reminder will get the attention of your employees and drive the change you intend. Instead, you need to think strategically to not only build the most engaging and relevant content, but to deliver it using the right channels, to the right devices at the right moments. Focus on the frequence of messaging, the relevance of your information and the engagement of your content. By segmenting and monitoring each element of your messaging strategy, you can measure the impact of your message, make adjustments when necessary and ensure your messaging is the driver of your security awareness initiative.

3. Reinforce Your Tone at the Top

Top-down support is important for security awareness success. Communicate your efforts to executives in the most effective way.

Executive support is an important factor in ensuring the long-term success of your security awareness efforts. When presenting security initiatives to executives, think stories before statistics. Describe security scenarios using your colleagues as examples to reinforce the impact of threats and the importance of security awareness. Another useful tactic when presenting your security plan to executives is to align your security goals with your organization’s objectives. When executives see security awareness as a core element of organizational success, it becomes easier to to prioritize and support your program.

4. Mature Your Program With Metrics

Use all data at your disposal to track progress and measure the success of your security awareness efforts.

When running a security awareness campaign, it is important to track training participation, phishing training success and assessment scores. However, you should also strive to go one step further with your program metrics. Can you measure success at both the individual and department level? Can you integrate with third-party applications such as your endpoint protection to attach data points to even more actions? Taking full advantage of your program metrics allows you to become more strategic and tactical with your program while giving you the data to demonstrate value to your organization.

5. Develop a Dynamic Roadmap

Annual, required security awareness training and one-off efforts don’t work. You need a dynamic roadmap to sustain security awareness momentum and behavioral change in the long term.

Long-term behavioral change takes time to take hold. Plan your security awareness program to span at least one year to keep security awareness top of mind and drive lasting behavioral change. While it’s important to think of your security awareness program as a long-term roadmap, it is also important to remain flexible. By building a dynamic roadmap, you can build on the strategies that are working and adjust focus to areas that need improvement.

About Infosec IQ

Infosec IQ integrates phishing simulation and security awareness training in one platform to engage and motivate all learners to care about security, improve their personal security hygiene and report suspicious activity. With a deep library of 1100+ realistic phishing simulations and more than 500 training modules, assessments and support resources, Infosec IQ automatically personalizes learning plans for each individual learner based on their role, security aptitude and learning style.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Request Demo

Tyler Schultz
Tyler Schultz

Tyler Schultz is a marketing professional with over seven years of experience delivering SaaS solutions to organizations of all sizes. As a product marketing manager at Infosec, he is dedicated to helping organizations build strong cybersecurity cultures and meet their security awareness goals. He helps the Infosec team push the boundaries of effective and engaging security awareness training with a focus on experiential learning, gamification, microlearning and in-the-moment training. Tyler is a UW-Madison and UW-Whitewater graduate and Certified Security Awareness Practitioner (CSAP).