Gartner 2022 security trend #5: Beyond Awareness
This is the fifth in our ongoing series of articles about the seven key trends identified in Gartner’s report “Top Trends in Cybersecurity 2022,” released to its clients in March. The fifth trend identified in the report is called “Beyond Awareness.”
Some form of human error or misjudgment is involved in the majority of data breaches, including not only the failure to identify a phishing attack, but also system misconfiguration, data misuse or misdelivery, and the use of weak credentials. And this indicates that traditional approaches to security awareness training are not effective any longer.
Gartner foresees the continuing emergence of a new type of program to replace traditional training: a security behavior and culture program (SBCP).
Traditional training falling flat
You’ve probably experienced this yourself. Once or twice a year, it’s announced that all employees must complete the security awareness training program by a certain date in order for the company to remain in compliance with regulations.
Literally everyone in the company regards it as an unwelcome chore. You put it off as long as you can, and when you finally decide to tackle it, you try to crash through it as quickly as possible, just to get it over with.
The program itself is written by cybersecurity experts, with the aim of conveying cybersecurity information efficiently and testing employees’ comprehension of it. You can only engage the program through a single type of device and portal. And the program is identical for everyone, completely static, and — especially for the younger generation of workers who come with high digital aptitude and cyber literacy — not successful at either conveying new information or instilling any kind of passion or motivation for adopting secure practices.
To the extent that it affects corporate culture, it primarily instills a shared sense of disdain and impatience toward security awareness training.
Compared to the old, hackneyed training programs that are primarily intended to achieve compliance, the new SBCP programs take seriously the task of reducing cyber risk by effecting real, lasting change in employee behaviors and in the corporate culture overall.
This is especially important in light of another trend identified in Gartner’s report, namely the increasing distribution of security decision-making throughout the business. As growing numbers of business technologists are empowered to make cybersecurity judgments on a day-to-day basis in the course of their work, they need to acquire habits of thought and patterns of behavior that go beyond merely spotting phishing emails and responding appropriately.
In order to achieve this, modern SBCPs are built not exclusively from a cybersecurity perspective. Instead, they integrate multiple disciplines in order to operate more like a classical, full-fledged marketing campaign than like an old-school security awareness campaign.
This means that multiple non-cybersecurity competencies must come into play, such as:
- Marketing and public relations
- Human-centric design principles
- Organizational change management
- Psychology and sociology
Getting ahead of the trend
As a leader in security and risk management for your organization, your goal should be to drive a cultural change that gives all workers engaging with digital systems effective cyber judgment skills, along with a strong motivation to apply them in the course of their work.
This will require you to become conversant with organizational change management and social science principles that can be applied to changing organizational culture.
In addition, you’ll need to collaborate with business leaders across the organization to ensure that everyone involved in business technology is exposed to culture-changing activities and can access training.
Finally, you want to engage with a cybersecurity training vendor that uses a platform-centric approach and provides innovative features that drive engagement and produce true behavioral change, such as:
- Real-world phishing simulations that are based on up-to-the-moment threat trends
- Gamification that publicly rewards high performers while also motivating lower performers to improve
- Adaptive, contextualized training based on performance
- In-the-moment nudges to drive improved judgment
If I weren’t committed to avoiding any kind of sales-y approach to this blog series, this is where I might mention that Barracuda Security Awareness Training is a platform-based program that checks a whole lot of those boxes. But I am, so I won’t. You’re welcome.