Amsterdam, Oct. 10 By Koen van Nistelrooij
Often it goes something like this; “Oh guys, we have to do something with awareness.” A few fun activities are chosen, a few phishing tests rolled out, a few topics chosen with matching intranet articles and e-learnings then sent out organization-wide. One keeps a tight eye on who is participating and who is not. But in the end, one is surprised to find that no gains have been made in behavior change, let alone culture change.
Obviously a tad overcharged, but this is what is happening at the core. There is simply no solid one-size-fits-all strategy, because ultimately one-size fits no one at all. Nevertheless, there is certainly a way to achieve the desired change in information security behavior and culture. For that, the starting point will have to be looked at carefully first. Namely; where are we as an organization now, where do we want to go and what needs to change for that to happen? Steps that are now too often skipped.
The traditional awareness strategy

In fact, it often starts with a vendor wanting to sell their information security product. The buyer thinks, “hey yes, this is a nice intervention! We should indeed do something with this too.” And then the rest of the strategy is built around that. A few separate interventions are purchased, a few topics for the coming year are selected, e-learnings are deployed, and additionally, the CISO writes five intranet articles.
That’s kind of what a traditional awareness program looks like, maybe another speaker will be asked to shake things up. But that’s often it. It was always about awareness, about awareness. Today, it should be about a thorough, good, multi-year curriculum. You don’t change behavior on Monday morning between nine and quarter past nine.
The first steps are being taken
We do see more and more measurement slowly but surely. Behaviors are measured and what behaviors need to be influenced. The Plan-Do-Check-Act cycle is now eagerly used in many agencies and organizations. A convenient cycle through which you plan, execute, control and then adjust again. Yet the plan phase is often not clearly developed at all. There is not yet a sharp enough focus on what is actually important and what behavior one wants to influence.
So how should it be done?
Where it used to be about awareness, today it is much more about behavior change. With a well-researched curriculum, you can change not only employee behavior, but also organizational culture. In addition, it is also about the longer term. You can make a plan for this year, but how does that fit into the bigger picture, and then what do you build on?
You begin with ironclad research. Where are you now as an organization? And in the area of information security and privacy? Where do you need/want to go? What does the organization need? What is important for a safe work culture? Brooklyn Partners’ Cyber Barometer includes as many as 80 behaviors important to a secure culture. Phishing, for example, are just two of them. “Does an employee recognize phishing?” and “Is there proper reporting?” But out of all these behaviors, how do you prioritize which ones are most important, and what should follow next?
You want to be able to map out exactly where you are as an organization and where you want to go, and then be able to attach clear measurable goals to it.
This is how Brooklyn Partners does it
We made the whole planning phase much more solid and robust. Through our own method first, we take a critical look at the current situation. And not just in the area of privacy and security but rather to the bigger picture. Consider, for example:
- A municipality to merge. There is a lot going on in the organization. How can we connect that to awareness and what does that mean for awareness?
- Or an organization moves to a new mission and vision, completely changing its organizational goals. How does that affect a safe work culture?
- An organization is going to digitize very fast. After that, what does that mean for the program we want to do?
We also look at organizational goals and constraints (such as time investment and budgets). Then to key risks. We zoom in further and look at the goals of the Information Security & Privacy departments themselves, which are often more technical and procuderal. For example, consider implementing multi-factor authentication, this is exactly what you need to reflect in your awareness strategy. Or just not if the goal has already been achieved with technology or processes.
We also always take a look at the past, what has worked and what hasn’t?
Then we look at target groups. This is a completely new and groundbreaking approach that clearly sets us apart from others. In the past, an organization-wide approach was always sought, or as we call it a: one-size-fits no one approach. Sometimes they still looked per department, ICT or HR for example, they would get a slightly more technical or legal approach. But we found out, that doesn’t work at all. We saw that you have different types of people within each department. Think, for example, of the supervisor, the regular employee, employees with increased risk (because they have more rights) and ambassadors (already work safely and also like to point out an unsafe act to a colleague). So then you already have some characteristics of such a type of person, and often they are the same across all the different teams. For example, if you do not offer the at-risk employee something specific, you will lose him or her. “Do they come up with phishing again, I know that by now. I’m working on the more complex cases, I don’t have time for this.”
So instead of 20 departmental strategies, you now get 4 persona or target group strategies. For each target group you are going to look at; what you want to accomplish in the next 3-5 years and what your goals are.
And only when you have all that down on paper do you start looking at appropriate interventions and channels. And so not the other way around.
“Then we look at target groups. That is a complete new and groundbreaking approach with which we clearly differentiate ourselves from others.”
Brooklyn Partners distinctive approach
After gathering all input, structured in our methodology and templates, we set up a robust awareness strategy together in 2-4 hours. No thick reports, but a very complete picture summarized in a few slides.
Many organizations then want to move forward with us – but they don’t have to because the strategy is not specifically tailored to our services. Then we guide the whole process and, above all, we do it together. We carry out the measurements, then together we determine the strategy. We set up an annual program and every month we check in on the state of affairs and make adjustments as needed.
Together we set up a unique-size-fits-everyone approach
You just want to get together with your project team every month and roll out a really well-crafted and thorough awareness strategy, don’t you? Let our colleague Tom at the bottom of this page know right away, and we’ll get back to you. Happy to let you take a look under the hood.
Would you rather puzzle it out yourself and purchase separate interventions? Then, above all, start with a thorough examination of where you are and where you want to go by target audience! You are always welcome to give us a call to spar about your situation! Our general email address and phone number is on the contact page.