A couple weeks ago we had a workshop with the team to discuss what works well at OutThink that we should be doubling down on. From the vantage point of the relative newcomer on the leadership team, it felt the conversation continued to turn towards security engagement at almost every step of the way.
Our customers report incredible success with getting their colleagues to actually engage in their security awareness programs. We hear frequently that the content is “just the right…” length, style, customization, relevance for every learner. That people in their organizations actually look forward to their security training. They think it’s creative, innovative and relevant to their needs. All training modules have a feedback mechanism, asking for a rating out of five stars. Our averages are consistently 4.8-star ratings or above.
How is that possible?! Well, a modern Cybersecurity Human Risk Management platform has to understand the behavioral and environmental factors of each learner. Our platform applies a 7-dimension segmentation model to customize content for maximum relevance to each individual. That allows OutThink to keep the content short and pointed to exactly what each individual needs to know. In fact, the content engine doesn’t really contain pre-made modules, the content lives as many small components that compose themselves on the fly based on what the segmentation engine learns about each individual learner.
Beyond having content that hits home with learners, a modern CHRM platform is never about one-way training. It is nothing like the typical marketing megaphone of traditional security awareness training. All the content is built as a platform of engagement. It demands interaction as the learner goes through it. It asks questions, allows the learner to direct their own path through the material, it’s never the same for two different people. And the choices the learner makes, the input the learner provides all form a picture of their behavioral segmentation at that point in time. Our latest content addition is pure immersive engagement – a set of modules based on conversational AI. By definition it becomes a conversation between the module and the learner. How much deeper can engagement get?
Well, it can get broader. The security team must look at engagement more holistically. The goal should be a high level of engagement between clusters of IT users and the security team overall. An important tenet of CHRM is that at every step, learners get to tell the security team about the security issues they see around them. Whether it’s non-secure practices of their colleagues, or faulty physical controls, or an impact on their productivity from following secure behavior advice. Taken at scale, this represents a significant feedback loop between the CISO’s team and affected portions of the organization. Imagine getting intel about security gaps or alignment friction at scale from thousands of colleagues across the organization. How much smarter and more effective, and therefore engaging, would the CISO’s team become as a result?
Perhaps the end stage of security engagement is seeing employees engage in habit-forming activities. It’s not enough to just tell people about risks and behaviors, to really create change we need to teach them how to embed good practices into their daily habits and routines. The true CHRM platform is built to encourage habit-forming activities. For example, studying the sender’s address on any questionable email. If you’re asked enough times whether you’ve done that, you start to “get the joke” and form the habit of doing so. Repetition is the key to real learning and forming habits that keep us safe. Getting learners to engage in the right routines is the final goal of security engagement.
Since security awareness training is the one constant touchpoint between the security team and employees at large, it can be the starting point for all forms of security engagement. Take a look at a couple of the assets we’ve put together to help you get started building truly engaging awareness content:
Adaptive SAT Playbook: Adaptive Security Awareness Training Playbook | OutThink | Cybersecurity Human Risk Management
Eight-Dimension Security Behavior Segmentation: Eight Dimensions Of Secure Behavior Segmentation | OutThink | Cybersecurity Human Risk Management