Introducing Alterity |
Let's Talk

Keeping Security Awareness Sustainable

Need help finding something?
Who We Are
Leading through learning.
We believe that a culture of learning ensures every individual has an opportunity to grow and flourish. Join us and unlock your organization's full potential.
Learn About Us
Join our Community
Subscribe to receive our latest news, product updates and promotions.
Sign Me Up
  • Data Security

A good and effective Cybersecurity Awareness Program is not a ‘set it and forget it’ kind of thing. It takes constant care and feeding. If it is important to the organization (and it is), to our clients (and it is), and to our people (and it must), then planning for its sustainability is critical.

Part 3 of this series: Keeping Security Awareness Sustainable.

Practical Ways to Keep Your Program Sustainable:

Let’s remind ourselves of the big picture of the Cybersecurity Awareness Program journey.

  • Stay the course. Don’t stop just because something doesn’t work as you expected.
  • The cybersecurity awareness program MUST be agreed to and modeled by LEADERSHIP. 
  • EQUIP Leadership (at all levels) to be successful in supporting Security Awareness.
  • Bake it into Onboarding. Start a new hire off with an understanding of the importance of security and security awareness at this organization.
  • Keep the tone POSITIVE. There’s only so much negative that people can take. Even negative stories/issues can reinforce the positive actions and awareness people need.
  • Deweaponize your Cybersecurity Awareness Program. If your program just catches people doing the wrong thing or just emphasizes what not to do, it will sour quickly in the minds of your people. 
  • Be mindful of who sends the message. It can’t just be the IT Department. Here are some suggestions:
    • Use multiple voices to get the message out.
    • Leverage top executives for messages or information that is organization-wide or strategic in nature.
    • Leverage direct supervisors to get more specific information to individuals on how this impacts them in their day-to-day work.
    • Use peer-to-peer messaging. It’s always good to hear from the “normal people” in the organization. People will often listen to their peers before they listen to IT or leadership.
    • Use outside experts to assist in your efforts. Sometimes, it takes an outside voice to get someone’s attention.
  • CLEARLY and REGULARLY state: Who to call/email; What to do if you have questions; What to do in the face of…
  • Use your metrics wisely.
    • What you do with metrics matters. Measure security awareness-related activities that show or measure changes in behavior (statistical and anecdotal). 
    • Continue to gather them. Metrics give you opportunities to tie changes in the program to trends in behaviors of your people.
  • Cadence is important. Security Awareness information can’t be a “once a year” thing. A sustainable program creates an environment that expects a steady flow of useful security information, education, and guidance. 
  • Leverage multiple learning opportunities or avenues:
    • On-demand content
    • Monthly topical emphases
    • Live Events
    • Be prepared to distribute “In the moment” communications and educational opportunities in the face of an incident that occurred, a new “Threat in the wild” for people to be aware of, or a testimonial of an organization or client event.
  • Invest in the program. It can’t be fully automated and requires time, attention, and resources.
    • Ask how big of a team the organization can afford or cannot afford.  
    • Know that you can’t do it all yourself.
    • Provide around-the-clock response.
    • Outsource elements of the program if needed.

Security Awareness is essential in today’s world. People are the target and the primary starting point for security incidents. Invest in a program that is Engaging, Relevant, and Sustainable. 

Reminder: If you need help getting your security awareness efforts off the ground or achieving all three goals with your cybersecurity awareness program mentioned in this series, we’re here to help.

About the Author

Kenny Leckie

Alterity | Senior Technology & Change Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci
Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of organizations across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a Chief Information Officer, Manager of Support & Training, and now a consultant, providing him a unique point of view and understanding of the challenges of introducing change in organizations. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.