Episode 19

Making Cybersecurity Communication Effective

Cybersecurity communication should be simple, immersive, attractive, continuous, and multi-channel, says Marcin Ganclerz, a subject matter expert. He passionately argues for creating a 'culture of enablement and not fear' so employees can play a vital role in enhancing cybersecurity communication effectiveness. Marcin also shares several examples and best practices in support of his recommendations.

Time Stamps

00:42

Martin, how about sharing with listeners a bit about your professional and cybersecurity journey?

03:10

How about we start with some challenges and hurdles that are associated with effective cybersecurity communication.

07:18

What would you consider are the key elements or attributes of effective cyber communication?

13:43

So let's talk about some best practices or guiding principles that you see out there.

22:56

You said the education about cybersecurity should be permanent. Tell us a little more about that.

38:29

So I'd like to ask you to start wrapping this up by sharing some key messages, some final thoughts, whatever you'd like to share with the listeners


Memorable Marcin Ganclerz Quotes

"The technical experts suffer from the curse of knowledge."

"We should show employees, show users, why cybersecurity is so important for them. And I think the best way to do it is to show them that it applies to their personal life."

"Cybersecurity communication should be simple, immersive, attractive, permanent, and multi-channel."

"When we treat people as a strong link, they act as a strong link."

"Concentrate on building a culture of enablement, rather than a culture of fear."

"People love to feel valued. They want to be an important part of the cybersecurity system."

"If you have the right culture, people will feel responsible for cybersecurity, they will feel like a vital part of the cybersecurity system and they can be your really valuable asset. But remember, you have to educate them, train them and reward them, not blame them."

"Employees can be valuable assets for the organization, but we have to educate them, train them, and reward them."

"So if you want to build a great culture in your organization, you have to reward your employees, show them that they are important."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone. I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Today, I have the pleasure of talking with

Dr. Dave Chatterjee:

Marcin Ganclerz, an expert in cybersecurity awareness and

Dr. Dave Chatterjee:

training. Marcin, welcome. It's great to have you as a guest on

Dr. Dave Chatterjee:

the show today. Thanks for making time to share your

Dr. Dave Chatterjee:

thoughts and perspectives with listeners. To get the ball

Dr. Dave Chatterjee:

rolling Marcin, how about share with listeners a bit about your

Dr. Dave Chatterjee:

professional and cybersecurity journey.

Marcin Ganclerz:

Hello, Dave, thank you so much for having me

Marcin Ganclerz:

on. It's great to be to be here. My cybersecurity journey is

Marcin Ganclerz:

quite interesting and unusual. Because I'm a former journalist.

Marcin Ganclerz:

I worked at the Polish public television for eight years. And

Marcin Ganclerz:

one day I had to prepare a TV material about phishing attack.

Marcin Ganclerz:

It was about a man who lost all of his money, because cyber

Marcin Ganclerz:

criminals broke into his bank account. It was a time when

Marcin Ganclerz:

phishing attacks weren't so common in Poland. So as a

Marcin Ganclerz:

journalist, I started searching for information about phishing

Marcin Ganclerz:

attack, how they looks like, what are the consequences of the

Marcin Ganclerz:

attack, what are the techniques, I had to record some experts.

Marcin Ganclerz:

And that's how I found cybersecurity is very

Marcin Ganclerz:

interesting. And after I had finished this material, I

Marcin Ganclerz:

started reading about cybersecurity, following some

Marcin Ganclerz:

experts. And that's how I became cybersecurity passionate. A few

Marcin Ganclerz:

a few years later, I saw that the biggest bank in Poland was

Marcin Ganclerz:

searching for a person responsible for building

Marcin Ganclerz:

cybersecurity program for clients and employees. And I

Marcin Ganclerz:

came to conclusion that it's the best time for me to dive into

Marcin Ganclerz:

this cybersecurity world. I got this job. And that's how I be

Marcin Ganclerz:

became a Cybersecurity Awareness expert.

Dr. Dave Chatterjee:

Fantastic, what a great, great story.

Dr. Dave Chatterjee:

Marcin, you have a lot of experience a lot of interesting

Dr. Dave Chatterjee:

stories probably to share with the listeners. How about we

Dr. Dave Chatterjee:

start with some challenges and hurdles that are associated with

Dr. Dave Chatterjee:

effective cybersecurity communication.

Marcin Ganclerz:

No problem. I think one of the biggest problem

Marcin Ganclerz:

is that, for many organization, cybersecurity is not a priority.

Marcin Ganclerz:

So they prefer to invest in some security tools, software,

Marcin Ganclerz:

rather, rather than invest in this human operating system.

Marcin Ganclerz:

They don't want to spend the money for educating employees. I

Marcin Ganclerz:

like this meme. Probably, you know, it and our listeners also,

Marcin Ganclerz:

security budget before and after the breach. I think it's the

Marcin Ganclerz:

same with education. Yeah. So if you don't have if it's not a

Marcin Ganclerz:

priority for the organization, it's hard to educate employees.

Marcin Ganclerz:

They don't see this communication. Another thing is

Marcin Ganclerz:

there's that huge gap on the market. I mean, there is no a

Marcin Ganclerz:

lot of there aren't a lot of technical, no, not technical,

Marcin Ganclerz:

experts who are specialized in cybersecurity awareness. Usually

Marcin Ganclerz:

in the organization, the person who is responsible for educating

Marcin Ganclerz:

employees and for cybersecurity awareness is information

Marcin Ganclerz:

security specialists or technical experts with the

Marcin Ganclerz:

technical knowledge And I think the problem with them is that

Marcin Ganclerz:

they don't know how to communicate. The technical

Marcin Ganclerz:

experts suffer from curse of knowledge. So for them,

Marcin Ganclerz:

everything is simple. I can tell you a great example. Once I had

Marcin Ganclerz:

to write an article about passwords, and when I was

Marcin Ganclerz:

writing this article, one of the director came to me and said,

Marcin Ganclerz:

Hey, you should write about passwords entropy. And I look at

Marcin Ganclerz:

him and ask, how many people know what the entropy is? And

Marcin Ganclerz:

the answer was silence. Because it's a great example how most of

Marcin Ganclerz:

technical experts think; for him, it was obvious what is

Marcin Ganclerz:

entropy? For most of the users, cyber, cyber security is scary,

Marcin Ganclerz:

confusing, intimidating, they don't understand it. Next

Marcin Ganclerz:

example. When we say employees about how to create password, we

Marcin Ganclerz:

will say them hey, it should have at least 12 characters,

Marcin Ganclerz:

uppercase, lowercase, special characters, numbers, and you

Marcin Ganclerz:

should change it every 90 days. And what's more, you cannot have

Marcin Ganclerz:

the same password on other portal or services. Is it

Marcin Ganclerz:

simple? No, for the users, it's really hard to do it. I prefer

Marcin Ganclerz:

to say, say them hey use Password Manager.

Dr. Dave Chatterjee:

And,

Marcin Ganclerz:

and the last problem, I think, is budget. So

Marcin Ganclerz:

if you want to create attractive, immersive

Marcin Ganclerz:

communication, you need money. If you want to prepare elearning

Marcin Ganclerz:

or webinar for your employees, attractive video games, and so

Marcin Ganclerz:

on, you need money. If you don't have money, it's hard to do

Marcin Ganclerz:

something constructive. It's possible, but it's more

Marcin Ganclerz:

difficult. So I think that these are the most important

Marcin Ganclerz:

challenges for building effective communication

Dr. Dave Chatterjee:

makes a lot of sense. I'm glad you touched

Dr. Dave Chatterjee:

upon a very key area. The challenge lies in finding those

Dr. Dave Chatterjee:

people who know enough about the phenomenon, have reasonable

Dr. Dave Chatterjee:

technical awareness and have the ability to communicate in plain

Dr. Dave Chatterjee:

and simple language. As you know, the cybersecurity

Dr. Dave Chatterjee:

phenomenon is very complicated. With so many terms,

Dr. Dave Chatterjee:

terminologies, and jargons. The best thing that could happen to

Dr. Dave Chatterjee:

enhancing awareness is to try and simplify the message. One of

Dr. Dave Chatterjee:

the primary reasons for doing this podcast Marcin is to make

Dr. Dave Chatterjee:

the cybersecurity conversation more mainstream. And I'm so glad

Dr. Dave Chatterjee:

that you have joined me in this discussion. So moving along,

Dr. Dave Chatterjee:

what would you consider to be the key elements or attributes

Dr. Dave Chatterjee:

of effective cyber communication?

Marcin Ganclerz:

I think one of the most important thing is to

Marcin Ganclerz:

show people why this is so important. It's a great TED Talk

Marcin Ganclerz:

by Simon Sinek 'Start with Why.' And we should show employees,

Marcin Ganclerz:

show users, why cybersecurity is so important for them. And I

Marcin Ganclerz:

think the best way to do it is to show them that it applies to

Marcin Ganclerz:

their personal life. So, here and there, I mean here at your

Marcin Ganclerz:

work and there at your home, threats are the same

Marcin Ganclerz:

cybercriminals don't look if it's your personal or business

Marcin Ganclerz:

email, they have they have all of these addresses and send the

Marcin Ganclerz:

campaign to all of all their addresses they they have. So we

Marcin Ganclerz:

should persuade employees that everything you learn at your

Marcin Ganclerz:

work will help you to be safer at your personal life. You can a

Marcin Ganclerz:

job and at home. We shopping banking online, we have mobile

Marcin Ganclerz:

devices. But at home you don't have a whole cybersecurity

Marcin Ganclerz:

security department that can help you to protect against this

Marcin Ganclerz:

kind of threat. So we have to arm employees with tools and the

Marcin Ganclerz:

best tool is knowledge, knowledge, how the attack looks

Marcin Ganclerz:

like, how to recognize them and how to react on them. So by

Marcin Ganclerz:

doing it, we creating them as we will make them as a great

Marcin Ganclerz:

cybersecurity agents who can help protect our company. And

Marcin Ganclerz:

they will be safer, safer at home. The next thing is that

Marcin Ganclerz:

cyber security communication should be simple, immersive,

Marcin Ganclerz:

attractive, permanent, multi channel, we cannot only release

Marcin Ganclerz:

once only for new employees, and you cybersecurity training. And

Marcin Ganclerz:

of course, we will be comply with some regulations. But it

Marcin Ganclerz:

won't change anything. If we do a training once for a few years,

Marcin Ganclerz:

it won't change anything. So we have to send them a message

Marcin Ganclerz:

every month every week in different channels. Because

Marcin Ganclerz:

there are a lot of channels in the organization. Of course,

Marcin Ganclerz:

every every cybersecurity communication program and

Marcin Ganclerz:

awareness program should be adjusted to the organization,

Marcin Ganclerz:

it's easier to communicate in a small company, when you have 20

Marcin Ganclerz:

employees, and they are all on the same floor. It's much harder

Marcin Ganclerz:

to do it in a global organization, when you have when

Marcin Ganclerz:

you have to have security changes and so on. So, um, but I

Marcin Ganclerz:

want to give you an example, for when we, when we write an

Marcin Ganclerz:

article, what is the most important part of this headline?

Marcin Ganclerz:

If headline is not attractive, people won't read it. So how,

Marcin Ganclerz:

how a lot of people write articles, and headlines. For

Marcin Ganclerz:

example, don't click on a suspicious link. Is it catchy,

Marcin Ganclerz:

it's not, probably most of the people won't read it. Instead of

Marcin Ganclerz:

that you can write 'One Click Is Enough To Allow Someone To Steal

Marcin Ganclerz:

Your Money.' And this headline will encourage people to go

Marcin Ganclerz:

deeper to this article, to click on it and read more about cyber

Marcin Ganclerz:

security. What else, we should also tell people the story, not

Marcin Ganclerz:

only the information about cybersecurity, we should show

Marcin Ganclerz:

them the whole context. So why cyber criminals do it, how they

Marcin Ganclerz:

do it, and what can be the consequences of the attack. If

Marcin Ganclerz:

you have

Marcin Ganclerz:

a template and you are limited to the words, it's hard to

Marcin Ganclerz:

explain cybersecurity in 200 300 words. Because sometimes in your

Marcin Ganclerz:

organization, communication looks like that. So you have to

Marcin Ganclerz:

tell people the story. And you also have to show them how the

Marcin Ganclerz:

attacks looks like. You can record a video of the example of

Marcin Ganclerz:

the attack for what will happen after connecting malicious USB

Marcin Ganclerz:

device to your laptop. If you don't have technical experts who

Marcin Ganclerz:

can do it for you, you can also buy an external vendor for you.

Marcin Ganclerz:

But as I mentioned before, you have to have a budget to do it.

Dr. Dave Chatterjee:

In fact, I want to re emphasize a statement

Dr. Dave Chatterjee:

you made, which is so compelling. You said the

Dr. Dave Chatterjee:

communication should be attractive, should be immersive

Dr. Dave Chatterjee:

and should be simple. I couldn't agree with you more. You have to

Dr. Dave Chatterjee:

get people to recognize why they need to be aware of different

Dr. Dave Chatterjee:

types of attacks, the consequences, and how does that

Dr. Dave Chatterjee:

relate to the work they do, the consequences, because at the end

Dr. Dave Chatterjee:

of the day, you know, everybody is not thinking about

Dr. Dave Chatterjee:

cybersecurity effectiveness, like some are. So the

Dr. Dave Chatterjee:

recognition that we need to make it more relatable cannot be

Dr. Dave Chatterjee:

overemphasized. And that brings up another point that you made.

Dr. Dave Chatterjee:

And I'm going to couch it a little differently. What we

Dr. Dave Chatterjee:

can't have is a one-size-fit-all approach. Neither can we have

Dr. Dave Chatterjee:

the check-the-box approach. Okay, there was a compliance

Dr. Dave Chatterjee:

requirement. You mentioned the word template, here is the

Dr. Dave Chatterjee:

template let's send it out to everybody. Communication is

Dr. Dave Chatterjee:

complete. That's not well done. At the end of the day, I think

Dr. Dave Chatterjee:

it's all about how, how genuine is the intent to communicate

Dr. Dave Chatterjee:

effectively, and what mechanisms are in place to assess whether

Dr. Dave Chatterjee:

the recipient has really received your message. And once

Dr. Dave Chatterjee:

again, talking about receiving the message, being relatable,

Dr. Dave Chatterjee:

what that brings to mind is the importance of making sure the

Dr. Dave Chatterjee:

message is customized, making sure the message is targeted,

Dr. Dave Chatterjee:

making sure the message is personalized. Let's say I am

Dr. Dave Chatterjee:

performing a certain role in an organization. If you would align

Dr. Dave Chatterjee:

the security posture, security measures, the security best

Dr. Dave Chatterjee:

practices that I need to be conscious of while I perform the

Dr. Dave Chatterjee:

role, that would be so much more relatable, I'll be able to

Dr. Dave Chatterjee:

assimilate that assimilate that so much better than if I'm

Dr. Dave Chatterjee:

looking at a one page long email with all kinds of do's and

Dr. Dave Chatterjee:

don'ts. And like you said, you know, those kinds of emails we

Dr. Dave Chatterjee:

all receive in organizations, we tend to look over them. Because

Dr. Dave Chatterjee:

often the titles are not catchy, the message is too long. And I

Dr. Dave Chatterjee:

have a natural tendency to look at an email and the first

Dr. Dave Chatterjee:

question I asked myself, is it for me? Or is it for the masses.

Dr. Dave Chatterjee:

If it's for the masses, that gets a lower priority. So that

Dr. Dave Chatterjee:

level of consciousness, that recognition is important, and

Dr. Dave Chatterjee:

yes, it does require organizations to go the extra

Dr. Dave Chatterjee:

distance. You talked about budget, absolutely. And anything

Dr. Dave Chatterjee:

else that needs to be done, whether it's from a governance

Dr. Dave Chatterjee:

standpoint, from a procedural standpoint, those steps have to

Dr. Dave Chatterjee:

be taken. Because we cannot emphasize enough the importance

Dr. Dave Chatterjee:

of effective communication. So let's go along this direction

Dr. Dave Chatterjee:

and talk about some best practices or guiding principles

Dr. Dave Chatterjee:

that you see out there.

Marcin Ganclerz:

First of all, as you mentioned, we should

Marcin Ganclerz:

divide, and we should think, what groups do we have within

Marcin Ganclerz:

the organization and tailor the training for them. It's hard to

Marcin Ganclerz:

prepare a different communication for different

Marcin Ganclerz:

groups, in my opinion, it's better to prepare for them

Marcin Ganclerz:

targeted training. I have delivered dozens of this kind of

Marcin Ganclerz:

training at my previous job at PKO Bank Polski, the biggest

Marcin Ganclerz:

bank in Poland. So, for example, when

Dr. Dave Chatterjee:

employees,

Marcin Ganclerz:

at the branch centers, have different needs

Marcin Ganclerz:

that employees both working on the call center, or assistance

Marcin Ganclerz:

of the directors or the executive. So the best way I

Marcin Ganclerz:

think, is to prepare an online training for them. Of course, as

Marcin Ganclerz:

I mentioned, it's easier in a smaller organization, it's hard

Marcin Ganclerz:

to solve a big organization who has 200,000 employees, but it's

Marcin Ganclerz:

possible. I think the best way to educate employees is contact

Marcin Ganclerz:

one on one even on Zoom or other platform like teams and and so

Marcin Ganclerz:

on, because you have an hour more than hour, I think an hour

Marcin Ganclerz:

it's enough to explain them. Why this is so important. Show them

Marcin Ganclerz:

what are the most important rules within an organization.

Marcin Ganclerz:

For example, at PKO Bank we created 10 cybersecurity rules

Marcin Ganclerz:

for employees and clients. And when you have these kind of

Marcin Ganclerz:

rules, it's easier to promote them and basing on them and

Marcin Ganclerz:

educate your your employees. What's more, what is important

Marcin Ganclerz:

Well, I think we should concentrate on building the

Marcin Ganclerz:

human firewall. So show employees that they are

Marcin Ganclerz:

important part of the cybersecurity system, and if

Marcin Ganclerz:

they have distilled this knowledge, they will help us

Marcin Ganclerz:

protect our organization. I think the problem is that many

Marcin Ganclerz:

organization, many companies tend to treat employees as risks

Marcin Ganclerz:

as the weakest link. And they use all of this terminology,

Marcin Ganclerz:

that suggests they don't actually have the power to be a

Marcin Ganclerz:

strong security agent. When we want to protect our

Marcin Ganclerz:

organization, we don't need the weakest link, we need strong

Marcin Ganclerz:

link. And when we see people as a strong link, they act as a

Marcin Ganclerz:

strong link. When you use this terminology, risk, the weakest

Marcin Ganclerz:

link, it's this pep cuts, I mean, problem exists between

Marcin Ganclerz:

keyboard and chair. So this is how most technical experts see

Marcin Ganclerz:

the role of the users, they that they are not the weakest link,

Marcin Ganclerz:

that they are the primary attack vector. They can be valuable

Marcin Ganclerz:

assets for the organization, but we have to educate them, train

Marcin Ganclerz:

them, and reward them. I heard a lot of stories when people

Marcin Ganclerz:

reported a phishing email. And they don't even receive an email

Marcin Ganclerz:

a feedback, if it's was a phishing or not a phishing. So

Marcin Ganclerz:

if you want to build the great culture in your organization,

Marcin Ganclerz:

you have to reward your employees, show them that they

Marcin Ganclerz:

are important. Of course, of course, there are many ways to

Marcin Ganclerz:

do it, and we can spend hours talking about it. We don't have

Marcin Ganclerz:

so much time, but um, you should think and concentrate and show

Marcin Ganclerz:

them every communication, prepare in videos, podcasts,

Marcin Ganclerz:

webinars, on your internet, show them why the role is so

Marcin Ganclerz:

important. You have elearning show them the role in this

Marcin Ganclerz:

elearning you have articles, show them in articles. I think I

Marcin Ganclerz:

think it's, it's important, because when you have this

Marcin Ganclerz:

culture of fear, so when employees don't want to report

Marcin Ganclerz:

any suspicious email, they are afraid of making mistakes,

Marcin Ganclerz:

because you blame them for the mistake. They make mistakes,

Marcin Ganclerz:

they are humans, we all make mistakes. And if they don't

Marcin Ganclerz:

understand cybersecurity, concentrate on educating them,

Marcin Ganclerz:

show them why this is so important that it's not so

Marcin Ganclerz:

difficult. But you have to do it in a simple and understandable

Marcin Ganclerz:

way. When you use a lot of fancy words, and acronyms, they don't

Marcin Ganclerz:

understand, they won't understand it.

Dr. Dave Chatterjee:

I'd love to jump in here. Because you're

Dr. Dave Chatterjee:

saying stuff that's getting me all excited and passionate. And

Dr. Dave Chatterjee:

the one thing I'd like to say here is don't let jargons be the

Dr. Dave Chatterjee:

great digital divide. Don't let terms terminologies, acronyms

Dr. Dave Chatterjee:

come in the way of connecting the entire organization and

Dr. Dave Chatterjee:

getting them on board. And getting them on the same page,

Dr. Dave Chatterjee:

when it comes to understanding the challenges and how to deal

Dr. Dave Chatterjee:

with them. You put it so well when you said employees or

Dr. Dave Chatterjee:

people treat them as the strongest link. There's a

Dr. Dave Chatterjee:

difference between being the biggest target and being the

Dr. Dave Chatterjee:

strongest link. And that distinction needs to be made.

Dr. Dave Chatterjee:

And I'm sure you will agree from your life experiences. And I've

Dr. Dave Chatterjee:

seen enough to conclude that the more you have confidence in

Dr. Dave Chatterjee:

people, the more you're willing to trust them, the more you're

Dr. Dave Chatterjee:

willing to empower them with training, they will rise to the

Dr. Dave Chatterjee:

occasion. You know, in one of my earlier podcasts, I had the CEO

Dr. Dave Chatterjee:

of a major corporation make a very telling comment. He said,

Dr. Dave Chatterjee:

Dave, people come to work because they want to make a

Dr. Dave Chatterjee:

difference. They come to work because they would like to do

Dr. Dave Chatterjee:

something great. And that's the kind of mindset that

Dr. Dave Chatterjee:

organizations need to have. That's the kind of mindset that

Dr. Dave Chatterjee:

would create and sustain what I call in my book, the

Dr. Dave Chatterjee:

High-Performance Information Security Culture. To be able to

Dr. Dave Chatterjee:

create and sustain that culture, people continue to be the most

Dr. Dave Chatterjee:

important factor. How how you motivate them, how you empower

Dr. Dave Chatterjee:

them, that's the challenge. But it's a great challenge to have.

Dr. Dave Chatterjee:

And we have enough tools, enough guidelines to make those things

Dr. Dave Chatterjee:

happen. The intent needs to be there, the recognition needs to

Dr. Dave Chatterjee:

be there. And I'm so glad that you're sharing these wonderful

Dr. Dave Chatterjee:

examples with listeners to enhance that level of awareness.

Dr. Dave Chatterjee:

So Marcin, while we were having our prep discussion, you said

Dr. Dave Chatterjee:

something very interesting that stayed with me. You said, the

Dr. Dave Chatterjee:

education about cybersecurity should be permanent. Tell us a

Dr. Dave Chatterjee:

little more about that. What,

Marcin Ganclerz:

why it should be permanent, because threats

Marcin Ganclerz:

are changing every day. And that is one one thing. So three years

Marcin Ganclerz:

ago, we have had different threats. And next years,

Marcin Ganclerz:

probably we will have different. So it's one thing and the other

Marcin Ganclerz:

is that when you as I mentioned before, when you release your

Marcin Ganclerz:

training, obbligatory training only for new employees, and they

Marcin Ganclerz:

completed it. The education is not finished. You have to

Marcin Ganclerz:

continue reinforce your education reinforce this role in

Marcin Ganclerz:

different channels in the organization. We learn a whole

Marcin Ganclerz:

life, it's the same of cybersecurity. If you only

Marcin Ganclerz:

release your one training, and you think it's not enough, it

Marcin Ganclerz:

isn't enough. You have to have different tools, different

Marcin Ganclerz:

actions, influence people, what is the most important in

Marcin Ganclerz:

cybersecurity education, changing human behavior? If you

Marcin Ganclerz:

click on the link, what we have to do is to change this this

Marcin Ganclerz:

behavior, and how can we do it? We need this BJ Fogg behavior

Marcin Ganclerz:

model. And we need three things. Employees, users, should be

Marcin Ganclerz:

motivated. They need to have ability, and prompt or trigger.

Marcin Ganclerz:

And when we have these three elements at the same time, you

Marcin Ganclerz:

can change human behavior, of course, so we have to motivate

Marcin Ganclerz:

them, how? Show them why start to fly, why this is so important

Marcin Ganclerz:

for you. Of course, we have to build the ability, or maybe they

Marcin Ganclerz:

have this ability. And we need a prompt, a trigger. And this

Marcin Ganclerz:

communication can be a trigger attractive video with a simple

Marcin Ganclerz:

message for them. Video don't have to be very long, especially

Marcin Ganclerz:

in social media, people usually concentrate on the first five,

Marcin Ganclerz:

six seconds. So the most important information should be

Marcin Ganclerz:

included in this first five, six seconds, or you cannot prepare

Marcin Ganclerz:

10 Minutes video about cybersecurity. Let's do it in

Marcin Ganclerz:

one minute. It's enough to insert them the more they're the

Marcin Ganclerz:

most important information. You can create a newsletter for

Marcin Ganclerz:

employees with the most important information and send

Marcin Ganclerz:

them it once a month, once a week. Think about external

Marcin Ganclerz:

experts invite someone to your company who can share the

Marcin Ganclerz:

knowledge with your employees. And what's more, you need to do

Marcin Ganclerz:

it you need the right people. That's why the trend on the

Marcin Ganclerz:

market is that people companies are searching for people not

Marcin Ganclerz:

with technical knowledge, but with communication public

Marcin Ganclerz:

relation and marketing background. Because all you have

Marcin Ganclerz:

to do is find a way to promote your program to promote the

Marcin Ganclerz:

cybersecurity rules, how to do it, how to influence people, how

Marcin Ganclerz:

to encourage them, how to change the behavior. And I think most

Marcin Ganclerz:

technical experts don't know how to do it.

Dr. Dave Chatterjee:

You know, one of the best practices that I

Dr. Dave Chatterjee:

came across in an organization is their approach of incremental

Dr. Dave Chatterjee:

learning. Almost every day, an email goes out to the inboxes,

Dr. Dave Chatterjee:

with one message with maybe one learning item. So their approach

Dr. Dave Chatterjee:

is that we want the cybersecurity education and

Dr. Dave Chatterjee:

training to be continuous, to be reinforced; instead of giving

Dr. Dave Chatterjee:

them, you know, giving it to them all at once in huge chunks,

Dr. Dave Chatterjee:

let's give it to them in small incremental amounts and make it

Dr. Dave Chatterjee:

let's make it around the year, a daily activity. So then it's

Dr. Dave Chatterjee:

it's becoming institutionalized. It's becoming part of the

Dr. Dave Chatterjee:

organizational DNA, the organizational best practices.

Dr. Dave Chatterjee:

Another point that you made, and I want to re emphasize that, and

Dr. Dave Chatterjee:

it goes back to what we were talking about making the

Dr. Dave Chatterjee:

educational experience the training experience, as

Dr. Dave Chatterjee:

immersive as hands on as possible. Bottom line, can we

Dr. Dave Chatterjee:

make it fun? Can we make it interesting? whether it's by

Dr. Dave Chatterjee:

showing little video clips, or whether it's by hosting some

Dr. Dave Chatterjee:

workshops, where scenes are enacted, about the consequences

Dr. Dave Chatterjee:

of what happens, or about how an employee or a set of employees

Dr. Dave Chatterjee:

were able to save the company from a certain attack, sharing

Dr. Dave Chatterjee:

those in the form of stories, but in a dramatic fashion, that

Dr. Dave Chatterjee:

would get the attention of the people. In other words, one has

Dr. Dave Chatterjee:

to get creative about how you want to communicate what you

Dr. Dave Chatterjee:

want to communicate, some thought needs to go into it.

Dr. Dave Chatterjee:

Let's not let's get past the the template based approach that you

Dr. Dave Chatterjee:

talked about, let's get creative. Every company has

Dr. Dave Chatterjee:

probably a relatively unique culture, they have a better

Dr. Dave Chatterjee:

understanding of what would go well with their employees. So

Dr. Dave Chatterjee:

they should accordingly customize their communication,

Dr. Dave Chatterjee:

as opposed to just hiring an expert from outside and having

Dr. Dave Chatterjee:

them run the show nothing against experts. I respect

Dr. Dave Chatterjee:

experts. And I'm sure experts bring a lot of experience

Dr. Dave Chatterjee:

working across industries across firms. But an organization still

Dr. Dave Chatterjee:

needs to have oversight still needs to make sure that they are

Dr. Dave Chatterjee:

working in partnership with the expert to provide the training

Dr. Dave Chatterjee:

that is appropriate for their people. So that's kind of the

Dr. Dave Chatterjee:

way I think we will make progress. Because, as you know,

Dr. Dave Chatterjee:

effective communication is so critical, whether it's getting

Dr. Dave Chatterjee:

employee buy in whether it's getting the buy in of the

Dr. Dave Chatterjee:

leadership, whether it's trying to convince people about not

Dr. Dave Chatterjee:

doing something of not engaging in a certain act. Unless we have

Dr. Dave Chatterjee:

a good way of getting the message across. We are unlikely

Dr. Dave Chatterjee:

to achieve what you just said. The change in behavior.

Marcin Ganclerz:

I can tell you interesting story, please one of

Marcin Ganclerz:

the elearning program, I prepared my previous job. So

Marcin Ganclerz:

when I came there, I realized that existing elearning was

Marcin Ganclerz:

boring. It was 20 slides with a lot of information about

Marcin Ganclerz:

policies, standards and so on, which you had to do, but it

Marcin Ganclerz:

wasn't interesting. And my main idea was we have to change it.

Marcin Ganclerz:

And we prepared a new elearning experts it's not a secret it was

Marcin Ganclerz:

Paula Januszkiewicz, CEO of the CQURE. You can find about it on

Marcin Ganclerz:

my LinkedIn profile. And we started from promoting this

Marcin Ganclerz:

learning, show employees, hey, something new is coming. And we

Marcin Ganclerz:

organized an event. We're involved to this one of the C

Marcin Ganclerz:

level executives, because if you need this culture of enablement,

Marcin Ganclerz:

it should start with the highest level in the organization.

Marcin Ganclerz:

Because one of Robert Cialdini principles of persuasion is

Marcin Ganclerz:

authority. So, if people, employees see that cybersecurity

Marcin Ganclerz:

education, cybersecurity training is important for our

Marcin Ganclerz:

CEO, board member, and so on, it should also be important for me

Marcin Ganclerz:

imagine the situation, then you receive an email about mandatory

Marcin Ganclerz:

training from corporate address, and you receive an email about

Marcin Ganclerz:

mandatory training from one of the board member. Of course, if

Marcin Ganclerz:

you receive an email from board member about mandatory training

Marcin Ganclerz:

from agree you will do it the same day. And But coming back to

Marcin Ganclerz:

the story, so we organized an event. During this event, we

Marcin Ganclerz:

told employees what will be in your in this eLearning program,

Marcin Ganclerz:

when we are going to launch it. And I can tell when it was a

Marcin Ganclerz:

huge program. So we divided this program, to 10 different

Marcin Ganclerz:

modules. And I can tell you that after we released this first

Marcin Ganclerz:

module, and the second module, I received a lot of emails from

Marcin Ganclerz:

employees with the information that it was the best elearning

Marcin Ganclerz:

they have ever seen. Because we show them why, we show them how

Marcin Ganclerz:

the attacks look like what are the consequences of the attack.

Marcin Ganclerz:

And this eLearning program was immersive, because you don't

Marcin Ganclerz:

people prefer watch than read. So we concentrated on videos

Marcin Ganclerz:

materials, so you could sit and watch something interesting

Marcin Ganclerz:

about cybersecurity. And, and yes, I think it's it's important

Marcin Ganclerz:

to start from this interesting elearning program, and show them

Marcin Ganclerz:

why this is so important for them. And what's more, after I

Marcin Ganclerz:

have received all these emails, I came to idea that let's use

Marcin Ganclerz:

it, and I asked this employees, Hey, can I prepare a video with

Marcin Ganclerz:

you? So you can say What's your opinion about this eLearning

Marcin Ganclerz:

because we want to promote this learning within their

Marcin Ganclerz:

organization and they agreed. So I recorded them. I don't I

Marcin Ganclerz:

didn't need the budget. Because I did it on Teams. I recorded a

Marcin Ganclerz:

video with them, with four employees. So I also used the

Marcin Ganclerz:

opinion to build the cybersecurity communication.

Dr. Dave Chatterjee:

That's an excellent point. In fact, you

Dr. Dave Chatterjee:

made several you share some excellent examples. One thing

Dr. Dave Chatterjee:

that comes to mind relating to what you just said, if you can

Dr. Dave Chatterjee:

build that peer group, in fact, this particular educational

Dr. Dave Chatterjee:

institution, they have created what they called the Champions

Dr. Dave Chatterjee:

Network. The Champions network comprises of folks who are

Dr. Dave Chatterjee:

willing to champion the cause of cybersecurity. So I'm thinking

Dr. Dave Chatterjee:

an organization can create a Champions Network, people who

Dr. Dave Chatterjee:

will focus on effective Cybersecurity Communications.

Dr. Dave Chatterjee:

And each of these folks serve as influencers. They serve as a hub

Dr. Dave Chatterjee:

who can promote the message more effectively to their group. You

Dr. Dave Chatterjee:

mentioned the challenges of achieving these effective

Dr. Dave Chatterjee:

communication goals in large organizations. And I believe by

Dr. Dave Chatterjee:

creating networks of people, of trained people, people who are

Dr. Dave Chatterjee:

passionate, people who are influencers, who have the

Dr. Dave Chatterjee:

ability to be very compelling. Use these networks to spread the

Dr. Dave Chatterjee:

word. So it doesn't have to be like a message coming from the

Dr. Dave Chatterjee:

top being sent to everybody. I think the approach should be

Dr. Dave Chatterjee:

more distributed. And that's how it will take on a life of its

Dr. Dave Chatterjee:

own, it will gather momentum, and then you will see a

Dr. Dave Chatterjee:

groundswell. You will see a bottom up approach where

Dr. Dave Chatterjee:

everybody is a conduit is a source of how to effectively

Dr. Dave Chatterjee:

communicate or share something relating to good cyber practice.

Dr. Dave Chatterjee:

And that's the way I believe the overall communication

Dr. Dave Chatterjee:

effectiveness can be achieved, which in turn, could lead to

Dr. Dave Chatterjee:

creating a high performance information security culture.

Dr. Dave Chatterjee:

Well, Marcin, this discussion is so interesting. I want to keep

Dr. Dave Chatterjee:

going. However, we have some time constraints. So I'd like to

Dr. Dave Chatterjee:

ask you to start wrapping this up for us by sharing some key

Dr. Dave Chatterjee:

messages, some final thoughts, whatever you'd like to share

Dr. Dave Chatterjee:

with the listeners

Marcin Ganclerz:

Concentrate on building culture of enablement

Marcin Ganclerz:

in your organization, rather than culture of fear, because

Marcin Ganclerz:

everything starts from culture in the organization. When you

Marcin Ganclerz:

have this culture of enablement, people, people love to feel

Marcin Ganclerz:

valued. They want to be the important part of cybersecurity

Marcin Ganclerz:

system. If you have the right culture, they will feel

Marcin Ganclerz:

responsible for cybersecurity, they will feel as a vital part

Marcin Ganclerz:

of the cybersecurity system and they can be your really valuable

Marcin Ganclerz:

asset. But remember, you have to educate them, train them and

Marcin Ganclerz:

reward them, not blame them. Because if you have this culture

Marcin Ganclerz:

of fear, if you blame your employees for mistakes, they

Marcin Ganclerz:

won't be an important part of your cybersecurity system. Yes,

Marcin Ganclerz:

they will really be a risk. All you need in the in your

Marcin Ganclerz:

organization is make your employees the strong link. The

Marcin Ganclerz:

important part of your organization are your employees

Marcin Ganclerz:

with tool and the main tool is knowledge knowledge, how to

Marcin Ganclerz:

react, how to react to the attack, how to recognize them.

Marcin Ganclerz:

And remember that cybersecurity, communication education should

Marcin Ganclerz:

be permanent, should be simple, and understandable. Multichannel

Marcin Ganclerz:

distinctive. Remember that you have to change human behavior.

Marcin Ganclerz:

Without changing human behavior, they won't be great agents. If

Marcin Ganclerz:

they make mistake, find a way how to change it. And I think

Marcin Ganclerz:

that's, that's the most important part and start with

Marcin Ganclerz:

why show them why this is so important. And the best way to

Marcin Ganclerz:

do it is how cybersecurity applies to the personal life.

Marcin Ganclerz:

Because attacks here and there are the same but at home you

Marcin Ganclerz:

don't have cybersecurity experts, technical experts, tool

Marcin Ganclerz:

and expensive software that can help you protecting yourself and

Marcin Ganclerz:

and your your family and find a way to involve in your program.

Marcin Ganclerz:

C level executives show employees that cybersecurity is

Marcin Ganclerz:

important for all the people within the organization not only

Marcin Ganclerz:

for employees and prepare an attractive, immersive

Marcin Ganclerz:

communications communication awareness program in different

Marcin Ganclerz:

channels in the organization. You have webinars, podcasts,

Marcin Ganclerz:

videos, emails, newsletters, elearning a lot. You can create

Marcin Ganclerz:

a Cybersecurity Day, a Cybersecurity Awareness Month,

Marcin Ganclerz:

you can prepare for them targeted training, online

Marcin Ganclerz:

training. You have a lot of different tools which you can

Marcin Ganclerz:

use to build this this cybersecurity awareness. And

Marcin Ganclerz:

don't afraid to hire someone with communication, marketing or

Marcin Ganclerz:

public relations experience, because it's easier for a person

Marcin Ganclerz:

like me to learn about cyber cybersecurity, rather, rather

Marcin Ganclerz:

rather than for technical experts to learn communication

Marcin Ganclerz:

skills.

Dr. Dave Chatterjee:

Well, thank you so much, Marcin. That was

Dr. Dave Chatterjee:

very, very informative. I'd like to wrap it up as well, reminding

Dr. Dave Chatterjee:

our listeners the significance of customized, targeted,

Dr. Dave Chatterjee:

personalized communication. Recognizing that a one-size-fit-

Dr. Dave Chatterjee:

all approach doesn't work. There needs to be a genuine intent to

Dr. Dave Chatterjee:

communicate effectively, and suitable assessment mechanisms

Dr. Dave Chatterjee:

should be in place to assess communication performance. With

Dr. Dave Chatterjee:

that we conclude our discussion for today. Thank you again.

Marcin Ganclerz:

Thank you so much.

Dr. Dave Chatterjee:

A special thanks to Marcin Ganclerz for

Dr. Dave Chatterjee:

his time and insights. If you liked what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.