7 Rules to Influence Behaviour and Win at Cyber Security Awareness

For my father, Deepak, who made me the man I am today. For my wife, Urvi, without whose love and support this book wouldn’t be possible. For my mother, Hema, my brother, Sunny, and sister-in-law, Sharada, whose encouragement and enthusiasm keep me going. For my grandparents, whom I can never thank enough for everything they sacrificed for me.

––––––––

A special thanks to Dan Jones for his mentorship and to Paul De Araujo and Sameer Karamchandani for their friendship and support of this book.

Table of Contents

1. What Will This Book Do for You? 

2. Introduction 

3. Cyber Security and the Human Factor

4. Rule 1: Stop Relying on Bad News

5. Rule 2: Don’t Be Boring

6. Rule 3: Be SMART in Your Approach

7. Rule 4: One Size Barely Fits Anyone

8. Rule 5: Harness the Power of Allies

9. Rule 6: Be Persistent and Consistent

10. Rule 7: Get the Support of Senior Leadership

11. Coda

12. References and Additional Resources

13. About the Author

1  What Will This Book Do for You?

If you’re new to cyber security, it will help you understand and communicate the topic better. It will also give you a clear, jargon-free action plan and resources to jump-start your own security awareness efforts.

If you’re an experienced cyber security professional, it will challenge your existing assumptions and provide a better way to increase the effectiveness of your cyber awareness programs.

It will empower you to influence user behaviour and subsequently reduce cyber incidents caused by the human factor.

It will enable you to avoid common mistakes that make cyber security awareness programs ineffective.

It will help make you a more engaging leader and presenter.

Most importantly, it won’t waste your time with boring content (yes, that’s one of the rules!).

2  Introduction

I distinctly remember the scene like it happened yesterday, although it has been a few years now. I walked into a room full of mostly hard-nosed, seasoned, technical IT professionals where I was invited to speak on the importance of following good security processes and standards. I know the topic sounds boring—it is quite dry, and presenting it to a group of people who probably have heard it all before made it even more challenging. This was aggravated by the fact that technical IT people generally have a low opinion of management types in suits telling them how to do their jobs better. In their minds, they feel these people don’t have a true understanding of their roles and day-to-day challenges they face.

However, the good news for me is that I like tough environments. There are very few things that match the thrill that comes with winning over a difficult crowd through your public speaking and presentations. Also, I was determined to make my presentation useful to the audience, and thereby ensure the teachings from it had a higher likelihood of being applied.

Now, a lot of IT personnel are familiar with the negative connotations associated with use of the word cowboy in their job’s context. This word implies a cavalier attitude towards following established standards and processes and bypassing them in order to get their jobs done faster. From personal experience working with numerous IT teams over the years, I know they don’t like this description of them. In their minds, they are doing the best they can under the circumstances, which can include aggressive and urgent timelines to deliver outcomes, often with limited resources.

To get attention and engagement from this tough crowd, I started my presentation with a real-life picture of me from Facebook wearing a cowboy hat, boots, and singing karaoke to Johnny Cash’s classics. Being an avid country music fan and a pretty good country dancer, if I do say so myself, I have lots of such stories and pictures. Starting my presentation with that image and implying, tongue in cheek, that I am one of the cowboys got a lot of chuckles from the attendees and instantly eased the atmosphere in the room. I followed that up with my customary introductory slide that had my name and senior cyber security job title, accompanied by a lot of initials that indicate the various industry certifications I hold. I then made a comment with a slightly sarcastic smile on my face: Hope you understand that my title and all the initials following it just mean I’m a really smart guy.

The way I said it made the audience start laughing. They knew I wasn’t going to be just another cyber presenter in a suit and that I was willing to make light of all the assumed self-importance of senior leaders who think they are automatically owed respect due to their titles and qualifications. From there on, it was easy. I had the audience interested, engaged, and totally involved with my overall message on security processes and standards. In fact, I had several audience members walk up to me after the presentation to say how much they’d enjoyed the talk and discussed ways in which they’d apply the principles I shared. All said and done, I consider this presentation a success!

Now, this wasn’t the first time I had adopted a laid-back and humorous approach tailored for the audience in the room. All through my years doing public speaking and presentations on cyber security, I have used similar tailored approaches, be it presenting to a group of accountants in Colorado, USA or to a group of executives at a conference in Sydney, Australia.

At a high level, my approach to awareness is all about knowing what to communicate, how to communicate, who to communicate to, and when to communicate. Over my career, I’m fortunate to have had the opportunity to work with people in different countries with various backgrounds. Through my years of professional experience, public presentations, and learning from both successes and failures, I have perfected a process that works effectively for creating winning cyber security awareness programs.

Now let’s look at some points that make a strong case on the need for cyber security awareness. On a nearly daily basis, when you read news about cyber-attacks—causing millions of personal records to be leaked, businesses to suffer crippling damages to