Digital White Papers

October 2013 Risks and Rewards

publication of the International Legal Technology Association

Issue link:

Contents of this Issue


Page 29 of 46

SECURITY AWARENESS TRAINING: IT'S NOT XXXX JUST A GOOD IDEA, IT'S A MANDATE SUPPORTING THE ABILITY TO CHANGE doing everything to protect the trust clients have placed in the firm. The "ability" phase is critical to successful long-term change. Without it, employees become discouraged, and even with the best training they will abandon their efforts to change. In this phase, focus on eliminating barriers or roadblocks that might inhibit employees' abilities to change their behavior. In some cases, this is a nuts-and-bolts, practical aspect of security awareness; for example, if you tell employees to use encrypted USB drives only, enable them to do that by making sure encrypted drives are available. However, you must also ensure employees have well-educated resources upon which they can call to answer questions, provide guidance and validate that they are making compliant choices. Educating the helpdesk team on every aspect of security awareness is important in this effort. The "reinforce" phase of this ongoing program includes incentives and rewards. Find ways to celebrate successes — announce the names of employees doing their part or incorporate friendly competitions if that is keeping within the culture of your firm. In this phase, you will once again rely on frontline managers to gain an understanding of where change is taking hold and where there might be pockets of resistance that require increased efforts and more attention to help bring about the desired behavioral changes. Use the information given to you by those managers to create internal case studies and success stories to share with others, and demonstrate how employees are incorporating security awareness into their work life at the firm. REINFORCING BEHAVIOR One of the key differences between security awareness and some other projects that involve a training aspect is that because security awareness is really about long-term culture and behavior change, it isn't a one-time event. It's an ongoing program. There will always be new threats and an ongoing need to stay vigilant. There will always be opportunities to remind employees that they must be on guard and watchful to make sure they are FINDING THE COMMON THREAD While each phase of the change management model has a unique focus, the common thread among them is communication. Leveraging creative, clear and concise communications that engage employees at each phase of the process is critical to the success of your program. Whether you're explaining to frontline managers the importance of their role in your efforts or showing employees how to spot a phishing message, communication is the heart of building support for a culture change that motivates employees to adapt their behavior. In today's world, filled with ever-changing and increasingly sophisticated cyberattacks, there are no guarantees against breaches or hacking. Your systems will always need technical safeguards, and you will always need smart policies. With a recent security industry study reporting that 33 percent of breaches are the result of negligence, implementing a security awareness program grounded on proven change management methodologies just makes sense. Creating sustainable culture and behavior changes among your employees can ultimately help minimize the frequency and severity of user-related incidents. As a Senior Change Management Consultant with Traveling Coaches, Inc., Julia Montgomery advises clients on all aspects of change management related to technology projects. She specializes in developing strategic communications. Julia is a Proscicertified Change Management Practitioner and a member of the Traveling Coaches award-winning user adoption consulting practice. She can be contacted at

Articles in this issue

Links on this page

Archives of this issue

view archives of Digital White Papers - October 2013 Risks and Rewards