- By Jim Shields, Creative Director, Twist & Shout Communications, a KnowBe4 company

Security awareness has never been more important and it’s not getting the attention it deserves. If we are to reduce the incidence of breaches, we need to move from doing security awareness training to creating a culture of pro-active, grassroots employee engagement.

The key to doing this is unleashing the power of storytelling to get people excited about the issues. KnowBe4’s Inside Man is one innovative way we’ve been doing that.

Reframing risk: benefits of a security culture

Satya Nadella, Microsoft CEO has reminded us that “culture eats strategy for breakfast”, because culture operates at a deeper level of influence than strategy within an organisation. Culture operates at the level of an organisation’s DNA as well as values, beliefs, habits and practices- not just policies and procedures.

Having a security engagement culture means, for example, users say “that’s just what we do here” when speaking about their security practices. This way, you’ll benefit from having informally recruited an army of security-conscious employees who really care.

A culture of security engagement therefore reframes your employees from an information security liability into an asset.

How to create a security culture in your organisation with stories

In order to influence your organisational culture, you can use stories to do so. When we read a story, see a film or listen to a dramatic podcast, our brain places us at the heart of that story. We don’t simply process a good movie as something separate to us. We get emotional because the brain is telling us we are absolutely in this story. This is why we get scared in horror films, and laugh (or cry) at romantic comedies.  We have emotional ‘skin in the game’.  This makes stories much more memorable, long-lasting and effective as a piece of communication.

Advertisers have known this for decades and have used it to their advantage to create an emotional connection between consumers and products. So what you (The CISO/IT Manager) can do is to sell the idea that your employees have a responsibility to protect company data.

This important storytelling role is where our series The Inside Man comes in.

The story of how The Inside Man series was born

So, with the desire to create a security awareness programme that encouraged an engagement culture, my team and I at Twist & Shout communications spoke to KnowBe4 CEO, Stu Sjouwerman, about his vision for the company. He told me he wanted to be the Netflix of the security awareness universe (I might be paraphrasing just a little).  I was completely onboard. We returned to pitch several ideas for Netflix-style entertainment series, the winner of which was The Inside Man.

Even for us with years of experience in creating educational videos, this was ambitious. First billed as a comedy drama, we realised that the depth of emotion became much deeper as our central character, Mark, a young man with very rare and special talents, was “placed” inside a corporation with the express objective of bringing them down. His assimilation into office life takes him by surprise and he suddenly realises, after a lifetime of hacking for hire from dark cellars around the world, what a family feels like. He becomes tortured by this realisation that he is betraying the people he should be protecting, and is tragically conflicted. If this storyline does not sound like a corporate training video, that’s because it isn’t-  training is not its job- its job is awareness.

When we showed the first cut of The Inside Man, Season 1 to KnowBe4 Chief Evangelist Perry Carpenter, he said that this series would change security awareness forever, saying ”The Inside Man sets a new standard for production quality, storytelling, emotional range, and embedded learning.”

Upon release of the series, we started to get feedback. Accounts of employee fan behaviour started coming in, like the guy that moved companies and begged his new employer to sign up for a KnowBe4 demo just so he could see the season finale. Or the countless employees emailing their Information Security department to thank them for this new style of “training”. Average employees now wanted to engage with cyber security because now to them, it really mattered.

Nuts and bolts: Three things you can do to create a security- engaged culture in your organisation

So I have established that there is a need to create a security-engaged culture, and I have shown how storytelling can do this. Here are a few thoughts that might help you in your transition when moving from a training and awareness to a culture of engagement:

1. Do a baseline check on your security culture

KnowBe4 and Softwerx can help you with this.

2. Run your security awareness drive as a campaign

Prioritise information security awareness within your company. Understand the risks of not taking action. Then start building your security culture. For example, you can sign up to access The Inside Man and schedule the training in your organisation. The Inside Man gives staff an excellent foundation of motivation on which to build more practical awareness training. Use KnowBe4’s other assets (posters, etc) to drive traffic to the training, and remind everyone that ‘this is who we are and what we do as a company’.

3. Create a space for feedback

Do a survey collecting feedback on the security awareness training, and start the right kind of conversations.  Regularly share any incidents in the news about insider threats and other security related stories on your internal threads and notice boards. Make stories important.

Taking the three steps above will help you develop a security-aware culture.

It’s a wrap

A security engagement culture is a situation in your company where employees care about information security. That means they want to learn more, share what they’ve learnt, and practice what they had learnt in order to make it a habit.

Considering that insider threats are on the rise and that the vast majority of breaches are due to human error, you can’t afford just to go through the motions of security awareness training.

Don’t you think it’s time to move from awareness to engagement?

Jim Shields is the co-creator and director of The Inside Man, Season 2 out now.

 

Follow Softwerx on LinkedIn and Twitter for the latest updates:

 

 

Back to Blog