Month: November 2024

Keeping Security Awareness Relevant

There is a tried-and-true principle that helps guide a successful security awareness program – until something matters to someone personally, they will never change. This speaks to an important part of all security awareness efforts – answering the question: why should they care. That’s why there is an ongoing need to keep your security awareness program RELEVANT to the individuals in your firm.

Part 2 of this series: Keeping Security Awareness Relevant.

Practical Ways to Keep Your Program Relevant:

  • Make it personal. Tie all security awareness communiques to its personal application for the individuals in your firm.
    Give people what they need to be successful. Don’t just tell them scary stories or things not to do. Provide practical actionable guidance on what they can do in the face of ever-changing security threats.
  • Use current events – without driving fear. The news (industry-specific, regional, national, and international) is full of current events that can help drive awareness of the need for good security hygiene. The challenge is not to “scare people straight” with the information, but rather relate it to why security best practices should be on people’s mind as they do their job and live their lives.
  • Audience you message. Not everything matters to everyone the same way. Along these lines, consider who should send the message. Not everyone listens to the same people the same way.
    Get testimonials and stories from your firm. This brings the message of security awareness closer to home and closer to front of mind.
  • Use specific stories that are relevant to law firms and law firm personnel. While some generic security guidance is helpful, tailoring the messages and information to law firms and law firm personnel gets their attention more quickly.
  • Empower your people to respond. Remind them that EVERYONE is part of the security effort of the firm. Remind them regularly who to call, who to email, and what to do in the event of an incident or a security-related question.
  • Deal with resistance. Invariably, there will be pushback on participation in a security awareness program. This is most noticeable when you are asking people to DO something (like attend an event or consume learning content). Keep in mind that resistance is not bad. It is an indication of something. Listen to them and ask why.
  • FINALLY, the pièce de ré·sis·tance. Give them practical tips and useful information to help them in their personal lives. Give them advice for their home, travel, family, and finances. Give them best practices for protecting their identity and the things that matter in their lives. This will win the hearts of your people and not just the minds.

Next will be the final in the 3-Part series – Part 3: Keeping Security Awareness Sustainable.

Reminder: If you need help getting your security awareness efforts off the ground or achieving all three goals with your security awareness program mentioned in this series, we’re here to help.

About the Author

Kenny Leckie

Senior Technology & Change Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the legal community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci
Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of firms across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a law firm Chief Information Officer, Manager of Support & Training, and now consultant providing him a unique point of view and understanding of the challenges of introducing change in law firms. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.

Keeping Security Awareness Sustainable

A good and effective Security Awareness Program is not a ‘set it and forget it’ kind of thing. It takes constant care and feeding. If it is important to the firm (and it is), to our clients (and it is), and to our people (and it must), then planning for its sustainability is critical.

Part 3 of this series: Keeping Security Awareness Sustainable.

Practical Ways to Keep Your Program Sustainable:

  • Stay the course. Don’t stop just because something doesn’t work as you expected.
  • The security awareness program MUST be agreed to and modeled by LEADERSHIP. 
  • EQUIP Leadership (at all levels) to be successful in supporting Security Awareness.
  • Bake it into Onboarding. Start a new hire off with an understanding of the importance of security and security awareness at this firm.
  • Keep the tone POSITIVE. There’s only so much negative that people can take. Even negative stories/issues can reinforce the positive actions and awareness people need.
  • Deweaponize your Security Awareness Program. If your program just catches people doing the wrong thing or just emphasizes what not to do, it will sour quickly in the minds of your people. 
  • Be mindful of who sends the message. It can’t just be the IT Department. Here are some suggestions:
    • Use multiple voices to get the message out.
    • Leverage top executives for messages or information that is firm-wide or strategic in nature.
    • Leverage direct supervisors to get more specific information to individuals on how this impacts them in their day-to-day work.
    • Use peer-to-peer messaging. It’s always good to hear from the “normal people” in the firm. People will often listen to their peers before they listen to IT or to leadership.
    • Use outside experts to assist in your efforts. Sometimes, it takes an outside voice to get someone’s attention.
  • CLEARLY and REGULARLY state: Who to call/email; What to do if you have questions; What to do in the face of…
  • Use your metrics wisely.
    • What you do with metrics matters. Measure security awareness related activities that show or measure changes in behavior (statistical and anecdotal). 
    • Continue to gather them. Metrics give you opportunities to tie changes in the program to trends in behaviors of your people.
  • Cadence is important. Security Awareness information can’t be a “once a year” thing. A sustainable program creates an environment that expects a steady flow of useful security information, education, and guidance. 
  • Leverage multiple learning opportunities or avenues:
    • On-demand content
    • Monthly topical emphases
    • Live Events
    • CLE options
    • Be prepared to distribute “In the moment” communications and educational opportunities in the face of an incident that occurred, a new “Threat in the wild” for people to be aware of, or a testimonial of a firm or client event.
  • Invest in the program. It can’t be fully automated and requires time, attention, and resources.
    • Ask how big of a team the firm can afford, or not afford?  
    • Know that you can’t do it all yourself.
    • Provide around-the-clock response.
    • Outsource elements of the program if needed.

Let’s remind ourselves of the big picture of the Security Awareness Program journey.

Security Awareness is essential in today’s world. People are the target and the primary starting point for security incidents. Invest in a program that is Engaging, Relevant, and Sustainable.

Reminder – If you need help getting your security awareness efforts off the ground or achieving all three goals with your security awareness program mentioned in this series, we’re here to help.

About the Author

Kenny Leckie

Senior Technology & Change Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the legal community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci
Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of firms across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a law firm Chief Information Officer, Manager of Support & Training, and now consultant providing him a unique point of view and understanding of the challenges of introducing change in law firms. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.