Episode 19
Making Cybersecurity Communication Effective
Cybersecurity communication should be simple, immersive, attractive, continuous, and multi-channel, says Marcin Ganclerz, a subject matter expert. He passionately argues for creating a 'culture of enablement and not fear' so employees can play a vital role in enhancing cybersecurity communication effectiveness. Marcin also shares several examples and best practices in support of his recommendations.
Time Stamps
Martin, how about sharing with listeners a bit about your professional and cybersecurity journey?
How about we start with some challenges and hurdles that are associated with effective cybersecurity communication.
What would you consider are the key elements or attributes of effective cyber communication?
So let's talk about some best practices or guiding principles that you see out there.
You said the education about cybersecurity should be permanent. Tell us a little more about that.
So I'd like to ask you to start wrapping this up by sharing some key messages, some final thoughts, whatever you'd like to share with the listeners
Memorable Marcin Ganclerz Quotes
"The technical experts suffer from the curse of knowledge."
"We should show employees, show users, why cybersecurity is so important for them. And I think the best way to do it is to show them that it applies to their personal life."
"Cybersecurity communication should be simple, immersive, attractive, permanent, and multi-channel."
"When we treat people as a strong link, they act as a strong link."
"Concentrate on building a culture of enablement, rather than a culture of fear."
"People love to feel valued. They want to be an important part of the cybersecurity system."
"If you have the right culture, people will feel responsible for cybersecurity, they will feel like a vital part of the cybersecurity system and they can be your really valuable asset. But remember, you have to educate them, train them and reward them, not blame them."
"Employees can be valuable assets for the organization, but we have to educate them, train them, and reward them."
"So if you want to build a great culture in your organization, you have to reward your employees, show them that they are important."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone. I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I have the pleasure of talking with
Dr. Dave Chatterjee:Marcin Ganclerz, an expert in cybersecurity awareness and
Dr. Dave Chatterjee:training. Marcin, welcome. It's great to have you as a guest on
Dr. Dave Chatterjee:the show today. Thanks for making time to share your
Dr. Dave Chatterjee:thoughts and perspectives with listeners. To get the ball
Dr. Dave Chatterjee:rolling Marcin, how about share with listeners a bit about your
Dr. Dave Chatterjee:professional and cybersecurity journey.
Marcin Ganclerz:Hello, Dave, thank you so much for having me
Marcin Ganclerz:on. It's great to be to be here. My cybersecurity journey is
Marcin Ganclerz:quite interesting and unusual. Because I'm a former journalist.
Marcin Ganclerz:I worked at the Polish public television for eight years. And
Marcin Ganclerz:one day I had to prepare a TV material about phishing attack.
Marcin Ganclerz:It was about a man who lost all of his money, because cyber
Marcin Ganclerz:criminals broke into his bank account. It was a time when
Marcin Ganclerz:phishing attacks weren't so common in Poland. So as a
Marcin Ganclerz:journalist, I started searching for information about phishing
Marcin Ganclerz:attack, how they looks like, what are the consequences of the
Marcin Ganclerz:attack, what are the techniques, I had to record some experts.
Marcin Ganclerz:And that's how I found cybersecurity is very
Marcin Ganclerz:interesting. And after I had finished this material, I
Marcin Ganclerz:started reading about cybersecurity, following some
Marcin Ganclerz:experts. And that's how I became cybersecurity passionate. A few
Marcin Ganclerz:a few years later, I saw that the biggest bank in Poland was
Marcin Ganclerz:searching for a person responsible for building
Marcin Ganclerz:cybersecurity program for clients and employees. And I
Marcin Ganclerz:came to conclusion that it's the best time for me to dive into
Marcin Ganclerz:this cybersecurity world. I got this job. And that's how I be
Marcin Ganclerz:became a Cybersecurity Awareness expert.
Dr. Dave Chatterjee:Fantastic, what a great, great story.
Dr. Dave Chatterjee:Marcin, you have a lot of experience a lot of interesting
Dr. Dave Chatterjee:stories probably to share with the listeners. How about we
Dr. Dave Chatterjee:start with some challenges and hurdles that are associated with
Dr. Dave Chatterjee:effective cybersecurity communication.
Marcin Ganclerz:No problem. I think one of the biggest problem
Marcin Ganclerz:is that, for many organization, cybersecurity is not a priority.
Marcin Ganclerz:So they prefer to invest in some security tools, software,
Marcin Ganclerz:rather, rather than invest in this human operating system.
Marcin Ganclerz:They don't want to spend the money for educating employees. I
Marcin Ganclerz:like this meme. Probably, you know, it and our listeners also,
Marcin Ganclerz:security budget before and after the breach. I think it's the
Marcin Ganclerz:same with education. Yeah. So if you don't have if it's not a
Marcin Ganclerz:priority for the organization, it's hard to educate employees.
Marcin Ganclerz:They don't see this communication. Another thing is
Marcin Ganclerz:there's that huge gap on the market. I mean, there is no a
Marcin Ganclerz:lot of there aren't a lot of technical, no, not technical,
Marcin Ganclerz:experts who are specialized in cybersecurity awareness. Usually
Marcin Ganclerz:in the organization, the person who is responsible for educating
Marcin Ganclerz:employees and for cybersecurity awareness is information
Marcin Ganclerz:security specialists or technical experts with the
Marcin Ganclerz:technical knowledge And I think the problem with them is that
Marcin Ganclerz:they don't know how to communicate. The technical
Marcin Ganclerz:experts suffer from curse of knowledge. So for them,
Marcin Ganclerz:everything is simple. I can tell you a great example. Once I had
Marcin Ganclerz:to write an article about passwords, and when I was
Marcin Ganclerz:writing this article, one of the director came to me and said,
Marcin Ganclerz:Hey, you should write about passwords entropy. And I look at
Marcin Ganclerz:him and ask, how many people know what the entropy is? And
Marcin Ganclerz:the answer was silence. Because it's a great example how most of
Marcin Ganclerz:technical experts think; for him, it was obvious what is
Marcin Ganclerz:entropy? For most of the users, cyber, cyber security is scary,
Marcin Ganclerz:confusing, intimidating, they don't understand it. Next
Marcin Ganclerz:example. When we say employees about how to create password, we
Marcin Ganclerz:will say them hey, it should have at least 12 characters,
Marcin Ganclerz:uppercase, lowercase, special characters, numbers, and you
Marcin Ganclerz:should change it every 90 days. And what's more, you cannot have
Marcin Ganclerz:the same password on other portal or services. Is it
Marcin Ganclerz:simple? No, for the users, it's really hard to do it. I prefer
Marcin Ganclerz:to say, say them hey use Password Manager.
Dr. Dave Chatterjee:And,
Marcin Ganclerz:and the last problem, I think, is budget. So
Marcin Ganclerz:if you want to create attractive, immersive
Marcin Ganclerz:communication, you need money. If you want to prepare elearning
Marcin Ganclerz:or webinar for your employees, attractive video games, and so
Marcin Ganclerz:on, you need money. If you don't have money, it's hard to do
Marcin Ganclerz:something constructive. It's possible, but it's more
Marcin Ganclerz:difficult. So I think that these are the most important
Marcin Ganclerz:challenges for building effective communication
Dr. Dave Chatterjee:makes a lot of sense. I'm glad you touched
Dr. Dave Chatterjee:upon a very key area. The challenge lies in finding those
Dr. Dave Chatterjee:people who know enough about the phenomenon, have reasonable
Dr. Dave Chatterjee:technical awareness and have the ability to communicate in plain
Dr. Dave Chatterjee:and simple language. As you know, the cybersecurity
Dr. Dave Chatterjee:phenomenon is very complicated. With so many terms,
Dr. Dave Chatterjee:terminologies, and jargons. The best thing that could happen to
Dr. Dave Chatterjee:enhancing awareness is to try and simplify the message. One of
Dr. Dave Chatterjee:the primary reasons for doing this podcast Marcin is to make
Dr. Dave Chatterjee:the cybersecurity conversation more mainstream. And I'm so glad
Dr. Dave Chatterjee:that you have joined me in this discussion. So moving along,
Dr. Dave Chatterjee:what would you consider to be the key elements or attributes
Dr. Dave Chatterjee:of effective cyber communication?
Marcin Ganclerz:I think one of the most important thing is to
Marcin Ganclerz:show people why this is so important. It's a great TED Talk
Marcin Ganclerz:by Simon Sinek 'Start with Why.' And we should show employees,
Marcin Ganclerz:show users, why cybersecurity is so important for them. And I
Marcin Ganclerz:think the best way to do it is to show them that it applies to
Marcin Ganclerz:their personal life. So, here and there, I mean here at your
Marcin Ganclerz:work and there at your home, threats are the same
Marcin Ganclerz:cybercriminals don't look if it's your personal or business
Marcin Ganclerz:email, they have they have all of these addresses and send the
Marcin Ganclerz:campaign to all of all their addresses they they have. So we
Marcin Ganclerz:should persuade employees that everything you learn at your
Marcin Ganclerz:work will help you to be safer at your personal life. You can a
Marcin Ganclerz:job and at home. We shopping banking online, we have mobile
Marcin Ganclerz:devices. But at home you don't have a whole cybersecurity
Marcin Ganclerz:security department that can help you to protect against this
Marcin Ganclerz:kind of threat. So we have to arm employees with tools and the
Marcin Ganclerz:best tool is knowledge, knowledge, how the attack looks
Marcin Ganclerz:like, how to recognize them and how to react on them. So by
Marcin Ganclerz:doing it, we creating them as we will make them as a great
Marcin Ganclerz:cybersecurity agents who can help protect our company. And
Marcin Ganclerz:they will be safer, safer at home. The next thing is that
Marcin Ganclerz:cyber security communication should be simple, immersive,
Marcin Ganclerz:attractive, permanent, multi channel, we cannot only release
Marcin Ganclerz:once only for new employees, and you cybersecurity training. And
Marcin Ganclerz:of course, we will be comply with some regulations. But it
Marcin Ganclerz:won't change anything. If we do a training once for a few years,
Marcin Ganclerz:it won't change anything. So we have to send them a message
Marcin Ganclerz:every month every week in different channels. Because
Marcin Ganclerz:there are a lot of channels in the organization. Of course,
Marcin Ganclerz:every every cybersecurity communication program and
Marcin Ganclerz:awareness program should be adjusted to the organization,
Marcin Ganclerz:it's easier to communicate in a small company, when you have 20
Marcin Ganclerz:employees, and they are all on the same floor. It's much harder
Marcin Ganclerz:to do it in a global organization, when you have when
Marcin Ganclerz:you have to have security changes and so on. So, um, but I
Marcin Ganclerz:want to give you an example, for when we, when we write an
Marcin Ganclerz:article, what is the most important part of this headline?
Marcin Ganclerz:If headline is not attractive, people won't read it. So how,
Marcin Ganclerz:how a lot of people write articles, and headlines. For
Marcin Ganclerz:example, don't click on a suspicious link. Is it catchy,
Marcin Ganclerz:it's not, probably most of the people won't read it. Instead of
Marcin Ganclerz:that you can write 'One Click Is Enough To Allow Someone To Steal
Marcin Ganclerz:Your Money.' And this headline will encourage people to go
Marcin Ganclerz:deeper to this article, to click on it and read more about cyber
Marcin Ganclerz:security. What else, we should also tell people the story, not
Marcin Ganclerz:only the information about cybersecurity, we should show
Marcin Ganclerz:them the whole context. So why cyber criminals do it, how they
Marcin Ganclerz:do it, and what can be the consequences of the attack. If
Marcin Ganclerz:you have
Marcin Ganclerz:a template and you are limited to the words, it's hard to
Marcin Ganclerz:explain cybersecurity in 200 300 words. Because sometimes in your
Marcin Ganclerz:organization, communication looks like that. So you have to
Marcin Ganclerz:tell people the story. And you also have to show them how the
Marcin Ganclerz:attacks looks like. You can record a video of the example of
Marcin Ganclerz:the attack for what will happen after connecting malicious USB
Marcin Ganclerz:device to your laptop. If you don't have technical experts who
Marcin Ganclerz:can do it for you, you can also buy an external vendor for you.
Marcin Ganclerz:But as I mentioned before, you have to have a budget to do it.
Dr. Dave Chatterjee:In fact, I want to re emphasize a statement
Dr. Dave Chatterjee:you made, which is so compelling. You said the
Dr. Dave Chatterjee:communication should be attractive, should be immersive
Dr. Dave Chatterjee:and should be simple. I couldn't agree with you more. You have to
Dr. Dave Chatterjee:get people to recognize why they need to be aware of different
Dr. Dave Chatterjee:types of attacks, the consequences, and how does that
Dr. Dave Chatterjee:relate to the work they do, the consequences, because at the end
Dr. Dave Chatterjee:of the day, you know, everybody is not thinking about
Dr. Dave Chatterjee:cybersecurity effectiveness, like some are. So the
Dr. Dave Chatterjee:recognition that we need to make it more relatable cannot be
Dr. Dave Chatterjee:overemphasized. And that brings up another point that you made.
Dr. Dave Chatterjee:And I'm going to couch it a little differently. What we
Dr. Dave Chatterjee:can't have is a one-size-fit-all approach. Neither can we have
Dr. Dave Chatterjee:the check-the-box approach. Okay, there was a compliance
Dr. Dave Chatterjee:requirement. You mentioned the word template, here is the
Dr. Dave Chatterjee:template let's send it out to everybody. Communication is
Dr. Dave Chatterjee:complete. That's not well done. At the end of the day, I think
Dr. Dave Chatterjee:it's all about how, how genuine is the intent to communicate
Dr. Dave Chatterjee:effectively, and what mechanisms are in place to assess whether
Dr. Dave Chatterjee:the recipient has really received your message. And once
Dr. Dave Chatterjee:again, talking about receiving the message, being relatable,
Dr. Dave Chatterjee:what that brings to mind is the importance of making sure the
Dr. Dave Chatterjee:message is customized, making sure the message is targeted,
Dr. Dave Chatterjee:making sure the message is personalized. Let's say I am
Dr. Dave Chatterjee:performing a certain role in an organization. If you would align
Dr. Dave Chatterjee:the security posture, security measures, the security best
Dr. Dave Chatterjee:practices that I need to be conscious of while I perform the
Dr. Dave Chatterjee:role, that would be so much more relatable, I'll be able to
Dr. Dave Chatterjee:assimilate that assimilate that so much better than if I'm
Dr. Dave Chatterjee:looking at a one page long email with all kinds of do's and
Dr. Dave Chatterjee:don'ts. And like you said, you know, those kinds of emails we
Dr. Dave Chatterjee:all receive in organizations, we tend to look over them. Because
Dr. Dave Chatterjee:often the titles are not catchy, the message is too long. And I
Dr. Dave Chatterjee:have a natural tendency to look at an email and the first
Dr. Dave Chatterjee:question I asked myself, is it for me? Or is it for the masses.
Dr. Dave Chatterjee:If it's for the masses, that gets a lower priority. So that
Dr. Dave Chatterjee:level of consciousness, that recognition is important, and
Dr. Dave Chatterjee:yes, it does require organizations to go the extra
Dr. Dave Chatterjee:distance. You talked about budget, absolutely. And anything
Dr. Dave Chatterjee:else that needs to be done, whether it's from a governance
Dr. Dave Chatterjee:standpoint, from a procedural standpoint, those steps have to
Dr. Dave Chatterjee:be taken. Because we cannot emphasize enough the importance
Dr. Dave Chatterjee:of effective communication. So let's go along this direction
Dr. Dave Chatterjee:and talk about some best practices or guiding principles
Dr. Dave Chatterjee:that you see out there.
Marcin Ganclerz:First of all, as you mentioned, we should
Marcin Ganclerz:divide, and we should think, what groups do we have within
Marcin Ganclerz:the organization and tailor the training for them. It's hard to
Marcin Ganclerz:prepare a different communication for different
Marcin Ganclerz:groups, in my opinion, it's better to prepare for them
Marcin Ganclerz:targeted training. I have delivered dozens of this kind of
Marcin Ganclerz:training at my previous job at PKO Bank Polski, the biggest
Marcin Ganclerz:bank in Poland. So, for example, when
Dr. Dave Chatterjee:employees,
Marcin Ganclerz:at the branch centers, have different needs
Marcin Ganclerz:that employees both working on the call center, or assistance
Marcin Ganclerz:of the directors or the executive. So the best way I
Marcin Ganclerz:think, is to prepare an online training for them. Of course, as
Marcin Ganclerz:I mentioned, it's easier in a smaller organization, it's hard
Marcin Ganclerz:to solve a big organization who has 200,000 employees, but it's
Marcin Ganclerz:possible. I think the best way to educate employees is contact
Marcin Ganclerz:one on one even on Zoom or other platform like teams and and so
Marcin Ganclerz:on, because you have an hour more than hour, I think an hour
Marcin Ganclerz:it's enough to explain them. Why this is so important. Show them
Marcin Ganclerz:what are the most important rules within an organization.
Marcin Ganclerz:For example, at PKO Bank we created 10 cybersecurity rules
Marcin Ganclerz:for employees and clients. And when you have these kind of
Marcin Ganclerz:rules, it's easier to promote them and basing on them and
Marcin Ganclerz:educate your your employees. What's more, what is important
Marcin Ganclerz:Well, I think we should concentrate on building the
Marcin Ganclerz:human firewall. So show employees that they are
Marcin Ganclerz:important part of the cybersecurity system, and if
Marcin Ganclerz:they have distilled this knowledge, they will help us
Marcin Ganclerz:protect our organization. I think the problem is that many
Marcin Ganclerz:organization, many companies tend to treat employees as risks
Marcin Ganclerz:as the weakest link. And they use all of this terminology,
Marcin Ganclerz:that suggests they don't actually have the power to be a
Marcin Ganclerz:strong security agent. When we want to protect our
Marcin Ganclerz:organization, we don't need the weakest link, we need strong
Marcin Ganclerz:link. And when we see people as a strong link, they act as a
Marcin Ganclerz:strong link. When you use this terminology, risk, the weakest
Marcin Ganclerz:link, it's this pep cuts, I mean, problem exists between
Marcin Ganclerz:keyboard and chair. So this is how most technical experts see
Marcin Ganclerz:the role of the users, they that they are not the weakest link,
Marcin Ganclerz:that they are the primary attack vector. They can be valuable
Marcin Ganclerz:assets for the organization, but we have to educate them, train
Marcin Ganclerz:them, and reward them. I heard a lot of stories when people
Marcin Ganclerz:reported a phishing email. And they don't even receive an email
Marcin Ganclerz:a feedback, if it's was a phishing or not a phishing. So
Marcin Ganclerz:if you want to build the great culture in your organization,
Marcin Ganclerz:you have to reward your employees, show them that they
Marcin Ganclerz:are important. Of course, of course, there are many ways to
Marcin Ganclerz:do it, and we can spend hours talking about it. We don't have
Marcin Ganclerz:so much time, but um, you should think and concentrate and show
Marcin Ganclerz:them every communication, prepare in videos, podcasts,
Marcin Ganclerz:webinars, on your internet, show them why the role is so
Marcin Ganclerz:important. You have elearning show them the role in this
Marcin Ganclerz:elearning you have articles, show them in articles. I think I
Marcin Ganclerz:think it's, it's important, because when you have this
Marcin Ganclerz:culture of fear, so when employees don't want to report
Marcin Ganclerz:any suspicious email, they are afraid of making mistakes,
Marcin Ganclerz:because you blame them for the mistake. They make mistakes,
Marcin Ganclerz:they are humans, we all make mistakes. And if they don't
Marcin Ganclerz:understand cybersecurity, concentrate on educating them,
Marcin Ganclerz:show them why this is so important that it's not so
Marcin Ganclerz:difficult. But you have to do it in a simple and understandable
Marcin Ganclerz:way. When you use a lot of fancy words, and acronyms, they don't
Marcin Ganclerz:understand, they won't understand it.
Dr. Dave Chatterjee:I'd love to jump in here. Because you're
Dr. Dave Chatterjee:saying stuff that's getting me all excited and passionate. And
Dr. Dave Chatterjee:the one thing I'd like to say here is don't let jargons be the
Dr. Dave Chatterjee:great digital divide. Don't let terms terminologies, acronyms
Dr. Dave Chatterjee:come in the way of connecting the entire organization and
Dr. Dave Chatterjee:getting them on board. And getting them on the same page,
Dr. Dave Chatterjee:when it comes to understanding the challenges and how to deal
Dr. Dave Chatterjee:with them. You put it so well when you said employees or
Dr. Dave Chatterjee:people treat them as the strongest link. There's a
Dr. Dave Chatterjee:difference between being the biggest target and being the
Dr. Dave Chatterjee:strongest link. And that distinction needs to be made.
Dr. Dave Chatterjee:And I'm sure you will agree from your life experiences. And I've
Dr. Dave Chatterjee:seen enough to conclude that the more you have confidence in
Dr. Dave Chatterjee:people, the more you're willing to trust them, the more you're
Dr. Dave Chatterjee:willing to empower them with training, they will rise to the
Dr. Dave Chatterjee:occasion. You know, in one of my earlier podcasts, I had the CEO
Dr. Dave Chatterjee:of a major corporation make a very telling comment. He said,
Dr. Dave Chatterjee:Dave, people come to work because they want to make a
Dr. Dave Chatterjee:difference. They come to work because they would like to do
Dr. Dave Chatterjee:something great. And that's the kind of mindset that
Dr. Dave Chatterjee:organizations need to have. That's the kind of mindset that
Dr. Dave Chatterjee:would create and sustain what I call in my book, the
Dr. Dave Chatterjee:High-Performance Information Security Culture. To be able to
Dr. Dave Chatterjee:create and sustain that culture, people continue to be the most
Dr. Dave Chatterjee:important factor. How how you motivate them, how you empower
Dr. Dave Chatterjee:them, that's the challenge. But it's a great challenge to have.
Dr. Dave Chatterjee:And we have enough tools, enough guidelines to make those things
Dr. Dave Chatterjee:happen. The intent needs to be there, the recognition needs to
Dr. Dave Chatterjee:be there. And I'm so glad that you're sharing these wonderful
Dr. Dave Chatterjee:examples with listeners to enhance that level of awareness.
Dr. Dave Chatterjee:So Marcin, while we were having our prep discussion, you said
Dr. Dave Chatterjee:something very interesting that stayed with me. You said, the
Dr. Dave Chatterjee:education about cybersecurity should be permanent. Tell us a
Dr. Dave Chatterjee:little more about that. What,
Marcin Ganclerz:why it should be permanent, because threats
Marcin Ganclerz:are changing every day. And that is one one thing. So three years
Marcin Ganclerz:ago, we have had different threats. And next years,
Marcin Ganclerz:probably we will have different. So it's one thing and the other
Marcin Ganclerz:is that when you as I mentioned before, when you release your
Marcin Ganclerz:training, obbligatory training only for new employees, and they
Marcin Ganclerz:completed it. The education is not finished. You have to
Marcin Ganclerz:continue reinforce your education reinforce this role in
Marcin Ganclerz:different channels in the organization. We learn a whole
Marcin Ganclerz:life, it's the same of cybersecurity. If you only
Marcin Ganclerz:release your one training, and you think it's not enough, it
Marcin Ganclerz:isn't enough. You have to have different tools, different
Marcin Ganclerz:actions, influence people, what is the most important in
Marcin Ganclerz:cybersecurity education, changing human behavior? If you
Marcin Ganclerz:click on the link, what we have to do is to change this this
Marcin Ganclerz:behavior, and how can we do it? We need this BJ Fogg behavior
Marcin Ganclerz:model. And we need three things. Employees, users, should be
Marcin Ganclerz:motivated. They need to have ability, and prompt or trigger.
Marcin Ganclerz:And when we have these three elements at the same time, you
Marcin Ganclerz:can change human behavior, of course, so we have to motivate
Marcin Ganclerz:them, how? Show them why start to fly, why this is so important
Marcin Ganclerz:for you. Of course, we have to build the ability, or maybe they
Marcin Ganclerz:have this ability. And we need a prompt, a trigger. And this
Marcin Ganclerz:communication can be a trigger attractive video with a simple
Marcin Ganclerz:message for them. Video don't have to be very long, especially
Marcin Ganclerz:in social media, people usually concentrate on the first five,
Marcin Ganclerz:six seconds. So the most important information should be
Marcin Ganclerz:included in this first five, six seconds, or you cannot prepare
Marcin Ganclerz:10 Minutes video about cybersecurity. Let's do it in
Marcin Ganclerz:one minute. It's enough to insert them the more they're the
Marcin Ganclerz:most important information. You can create a newsletter for
Marcin Ganclerz:employees with the most important information and send
Marcin Ganclerz:them it once a month, once a week. Think about external
Marcin Ganclerz:experts invite someone to your company who can share the
Marcin Ganclerz:knowledge with your employees. And what's more, you need to do
Marcin Ganclerz:it you need the right people. That's why the trend on the
Marcin Ganclerz:market is that people companies are searching for people not
Marcin Ganclerz:with technical knowledge, but with communication public
Marcin Ganclerz:relation and marketing background. Because all you have
Marcin Ganclerz:to do is find a way to promote your program to promote the
Marcin Ganclerz:cybersecurity rules, how to do it, how to influence people, how
Marcin Ganclerz:to encourage them, how to change the behavior. And I think most
Marcin Ganclerz:technical experts don't know how to do it.
Dr. Dave Chatterjee:You know, one of the best practices that I
Dr. Dave Chatterjee:came across in an organization is their approach of incremental
Dr. Dave Chatterjee:learning. Almost every day, an email goes out to the inboxes,
Dr. Dave Chatterjee:with one message with maybe one learning item. So their approach
Dr. Dave Chatterjee:is that we want the cybersecurity education and
Dr. Dave Chatterjee:training to be continuous, to be reinforced; instead of giving
Dr. Dave Chatterjee:them, you know, giving it to them all at once in huge chunks,
Dr. Dave Chatterjee:let's give it to them in small incremental amounts and make it
Dr. Dave Chatterjee:let's make it around the year, a daily activity. So then it's
Dr. Dave Chatterjee:it's becoming institutionalized. It's becoming part of the
Dr. Dave Chatterjee:organizational DNA, the organizational best practices.
Dr. Dave Chatterjee:Another point that you made, and I want to re emphasize that, and
Dr. Dave Chatterjee:it goes back to what we were talking about making the
Dr. Dave Chatterjee:educational experience the training experience, as
Dr. Dave Chatterjee:immersive as hands on as possible. Bottom line, can we
Dr. Dave Chatterjee:make it fun? Can we make it interesting? whether it's by
Dr. Dave Chatterjee:showing little video clips, or whether it's by hosting some
Dr. Dave Chatterjee:workshops, where scenes are enacted, about the consequences
Dr. Dave Chatterjee:of what happens, or about how an employee or a set of employees
Dr. Dave Chatterjee:were able to save the company from a certain attack, sharing
Dr. Dave Chatterjee:those in the form of stories, but in a dramatic fashion, that
Dr. Dave Chatterjee:would get the attention of the people. In other words, one has
Dr. Dave Chatterjee:to get creative about how you want to communicate what you
Dr. Dave Chatterjee:want to communicate, some thought needs to go into it.
Dr. Dave Chatterjee:Let's not let's get past the the template based approach that you
Dr. Dave Chatterjee:talked about, let's get creative. Every company has
Dr. Dave Chatterjee:probably a relatively unique culture, they have a better
Dr. Dave Chatterjee:understanding of what would go well with their employees. So
Dr. Dave Chatterjee:they should accordingly customize their communication,
Dr. Dave Chatterjee:as opposed to just hiring an expert from outside and having
Dr. Dave Chatterjee:them run the show nothing against experts. I respect
Dr. Dave Chatterjee:experts. And I'm sure experts bring a lot of experience
Dr. Dave Chatterjee:working across industries across firms. But an organization still
Dr. Dave Chatterjee:needs to have oversight still needs to make sure that they are
Dr. Dave Chatterjee:working in partnership with the expert to provide the training
Dr. Dave Chatterjee:that is appropriate for their people. So that's kind of the
Dr. Dave Chatterjee:way I think we will make progress. Because, as you know,
Dr. Dave Chatterjee:effective communication is so critical, whether it's getting
Dr. Dave Chatterjee:employee buy in whether it's getting the buy in of the
Dr. Dave Chatterjee:leadership, whether it's trying to convince people about not
Dr. Dave Chatterjee:doing something of not engaging in a certain act. Unless we have
Dr. Dave Chatterjee:a good way of getting the message across. We are unlikely
Dr. Dave Chatterjee:to achieve what you just said. The change in behavior.
Marcin Ganclerz:I can tell you interesting story, please one of
Marcin Ganclerz:the elearning program, I prepared my previous job. So
Marcin Ganclerz:when I came there, I realized that existing elearning was
Marcin Ganclerz:boring. It was 20 slides with a lot of information about
Marcin Ganclerz:policies, standards and so on, which you had to do, but it
Marcin Ganclerz:wasn't interesting. And my main idea was we have to change it.
Marcin Ganclerz:And we prepared a new elearning experts it's not a secret it was
Marcin Ganclerz:Paula Januszkiewicz, CEO of the CQURE. You can find about it on
Marcin Ganclerz:my LinkedIn profile. And we started from promoting this
Marcin Ganclerz:learning, show employees, hey, something new is coming. And we
Marcin Ganclerz:organized an event. We're involved to this one of the C
Marcin Ganclerz:level executives, because if you need this culture of enablement,
Marcin Ganclerz:it should start with the highest level in the organization.
Marcin Ganclerz:Because one of Robert Cialdini principles of persuasion is
Marcin Ganclerz:authority. So, if people, employees see that cybersecurity
Marcin Ganclerz:education, cybersecurity training is important for our
Marcin Ganclerz:CEO, board member, and so on, it should also be important for me
Marcin Ganclerz:imagine the situation, then you receive an email about mandatory
Marcin Ganclerz:training from corporate address, and you receive an email about
Marcin Ganclerz:mandatory training from one of the board member. Of course, if
Marcin Ganclerz:you receive an email from board member about mandatory training
Marcin Ganclerz:from agree you will do it the same day. And But coming back to
Marcin Ganclerz:the story, so we organized an event. During this event, we
Marcin Ganclerz:told employees what will be in your in this eLearning program,
Marcin Ganclerz:when we are going to launch it. And I can tell when it was a
Marcin Ganclerz:huge program. So we divided this program, to 10 different
Marcin Ganclerz:modules. And I can tell you that after we released this first
Marcin Ganclerz:module, and the second module, I received a lot of emails from
Marcin Ganclerz:employees with the information that it was the best elearning
Marcin Ganclerz:they have ever seen. Because we show them why, we show them how
Marcin Ganclerz:the attacks look like what are the consequences of the attack.
Marcin Ganclerz:And this eLearning program was immersive, because you don't
Marcin Ganclerz:people prefer watch than read. So we concentrated on videos
Marcin Ganclerz:materials, so you could sit and watch something interesting
Marcin Ganclerz:about cybersecurity. And, and yes, I think it's it's important
Marcin Ganclerz:to start from this interesting elearning program, and show them
Marcin Ganclerz:why this is so important for them. And what's more, after I
Marcin Ganclerz:have received all these emails, I came to idea that let's use
Marcin Ganclerz:it, and I asked this employees, Hey, can I prepare a video with
Marcin Ganclerz:you? So you can say What's your opinion about this eLearning
Marcin Ganclerz:because we want to promote this learning within their
Marcin Ganclerz:organization and they agreed. So I recorded them. I don't I
Marcin Ganclerz:didn't need the budget. Because I did it on Teams. I recorded a
Marcin Ganclerz:video with them, with four employees. So I also used the
Marcin Ganclerz:opinion to build the cybersecurity communication.
Dr. Dave Chatterjee:That's an excellent point. In fact, you
Dr. Dave Chatterjee:made several you share some excellent examples. One thing
Dr. Dave Chatterjee:that comes to mind relating to what you just said, if you can
Dr. Dave Chatterjee:build that peer group, in fact, this particular educational
Dr. Dave Chatterjee:institution, they have created what they called the Champions
Dr. Dave Chatterjee:Network. The Champions network comprises of folks who are
Dr. Dave Chatterjee:willing to champion the cause of cybersecurity. So I'm thinking
Dr. Dave Chatterjee:an organization can create a Champions Network, people who
Dr. Dave Chatterjee:will focus on effective Cybersecurity Communications.
Dr. Dave Chatterjee:And each of these folks serve as influencers. They serve as a hub
Dr. Dave Chatterjee:who can promote the message more effectively to their group. You
Dr. Dave Chatterjee:mentioned the challenges of achieving these effective
Dr. Dave Chatterjee:communication goals in large organizations. And I believe by
Dr. Dave Chatterjee:creating networks of people, of trained people, people who are
Dr. Dave Chatterjee:passionate, people who are influencers, who have the
Dr. Dave Chatterjee:ability to be very compelling. Use these networks to spread the
Dr. Dave Chatterjee:word. So it doesn't have to be like a message coming from the
Dr. Dave Chatterjee:top being sent to everybody. I think the approach should be
Dr. Dave Chatterjee:more distributed. And that's how it will take on a life of its
Dr. Dave Chatterjee:own, it will gather momentum, and then you will see a
Dr. Dave Chatterjee:groundswell. You will see a bottom up approach where
Dr. Dave Chatterjee:everybody is a conduit is a source of how to effectively
Dr. Dave Chatterjee:communicate or share something relating to good cyber practice.
Dr. Dave Chatterjee:And that's the way I believe the overall communication
Dr. Dave Chatterjee:effectiveness can be achieved, which in turn, could lead to
Dr. Dave Chatterjee:creating a high performance information security culture.
Dr. Dave Chatterjee:Well, Marcin, this discussion is so interesting. I want to keep
Dr. Dave Chatterjee:going. However, we have some time constraints. So I'd like to
Dr. Dave Chatterjee:ask you to start wrapping this up for us by sharing some key
Dr. Dave Chatterjee:messages, some final thoughts, whatever you'd like to share
Dr. Dave Chatterjee:with the listeners
Marcin Ganclerz:Concentrate on building culture of enablement
Marcin Ganclerz:in your organization, rather than culture of fear, because
Marcin Ganclerz:everything starts from culture in the organization. When you
Marcin Ganclerz:have this culture of enablement, people, people love to feel
Marcin Ganclerz:valued. They want to be the important part of cybersecurity
Marcin Ganclerz:system. If you have the right culture, they will feel
Marcin Ganclerz:responsible for cybersecurity, they will feel as a vital part
Marcin Ganclerz:of the cybersecurity system and they can be your really valuable
Marcin Ganclerz:asset. But remember, you have to educate them, train them and
Marcin Ganclerz:reward them, not blame them. Because if you have this culture
Marcin Ganclerz:of fear, if you blame your employees for mistakes, they
Marcin Ganclerz:won't be an important part of your cybersecurity system. Yes,
Marcin Ganclerz:they will really be a risk. All you need in the in your
Marcin Ganclerz:organization is make your employees the strong link. The
Marcin Ganclerz:important part of your organization are your employees
Marcin Ganclerz:with tool and the main tool is knowledge knowledge, how to
Marcin Ganclerz:react, how to react to the attack, how to recognize them.
Marcin Ganclerz:And remember that cybersecurity, communication education should
Marcin Ganclerz:be permanent, should be simple, and understandable. Multichannel
Marcin Ganclerz:distinctive. Remember that you have to change human behavior.
Marcin Ganclerz:Without changing human behavior, they won't be great agents. If
Marcin Ganclerz:they make mistake, find a way how to change it. And I think
Marcin Ganclerz:that's, that's the most important part and start with
Marcin Ganclerz:why show them why this is so important. And the best way to
Marcin Ganclerz:do it is how cybersecurity applies to the personal life.
Marcin Ganclerz:Because attacks here and there are the same but at home you
Marcin Ganclerz:don't have cybersecurity experts, technical experts, tool
Marcin Ganclerz:and expensive software that can help you protecting yourself and
Marcin Ganclerz:and your your family and find a way to involve in your program.
Marcin Ganclerz:C level executives show employees that cybersecurity is
Marcin Ganclerz:important for all the people within the organization not only
Marcin Ganclerz:for employees and prepare an attractive, immersive
Marcin Ganclerz:communications communication awareness program in different
Marcin Ganclerz:channels in the organization. You have webinars, podcasts,
Marcin Ganclerz:videos, emails, newsletters, elearning a lot. You can create
Marcin Ganclerz:a Cybersecurity Day, a Cybersecurity Awareness Month,
Marcin Ganclerz:you can prepare for them targeted training, online
Marcin Ganclerz:training. You have a lot of different tools which you can
Marcin Ganclerz:use to build this this cybersecurity awareness. And
Marcin Ganclerz:don't afraid to hire someone with communication, marketing or
Marcin Ganclerz:public relations experience, because it's easier for a person
Marcin Ganclerz:like me to learn about cyber cybersecurity, rather, rather
Marcin Ganclerz:rather than for technical experts to learn communication
Marcin Ganclerz:skills.
Dr. Dave Chatterjee:Well, thank you so much, Marcin. That was
Dr. Dave Chatterjee:very, very informative. I'd like to wrap it up as well, reminding
Dr. Dave Chatterjee:our listeners the significance of customized, targeted,
Dr. Dave Chatterjee:personalized communication. Recognizing that a one-size-fit-
Dr. Dave Chatterjee:all approach doesn't work. There needs to be a genuine intent to
Dr. Dave Chatterjee:communicate effectively, and suitable assessment mechanisms
Dr. Dave Chatterjee:should be in place to assess communication performance. With
Dr. Dave Chatterjee:that we conclude our discussion for today. Thank you again.
Marcin Ganclerz:Thank you so much.
Dr. Dave Chatterjee:A special thanks to Marcin Ganclerz for
Dr. Dave Chatterjee:his time and insights. If you liked what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.
