The last time we talked about information security and why people are resistant to it, this time we will look at how we can help people to understand the “why” of information security and how we can inspire change.
"Teaching is more than imparting knowledge; it is inspiring change. Learning is more than absorbing facts; it is acquiring understanding."
—William Arthur Ward
Teaching information security to your colleagues may be challenging, it requires a comprehensive approach where you not only talk the technical parts, but you also need to teach about the fundamental principles, best practices (that are different in different parts of the world but still very similar) and the hardest part change the mindsets to the will of continuous learning and understanding of WHY.
Ok, what’s next? You need to:
Understanding the audience.
What audience do you have? Do you have the corporate leadership team, the technical team or HR? Start with identifying the knowledge on information security your audience has and why they are there. Tailor your curriculum and method of teaching according to that.
Build a foundation.Start with the basics, more detailed if the knowledge is low and more of refreshing memory if the knowledge is higher. Start with the principles of information security and the most common vulnerabilities and threats that exist. Make sure the audience understands these basics before moving on otherwise they will not understand the more complex parts. Here you can also present the legal and regulatory requirements relevant to the audience (depends on country, sector and where in the organization the audience work)
Give context.
It is important to give context to the theoretical parts of information security. Use real-life examples to show what can happen. By giving case studies you can demonstrate the consequences when you get an information security incident, but you can also show success stories e.g., what can you prevent if you have enough security controls.
Make it fun(nier)
To be honest, even for us professionals within the area, security can be quite boring sometimes. Just think what some of the audience might think, they often just take the learning because they have to. One way to do that is interactive learning, encouraging participation. You can do that through workshops, exercises, and real-world simulations. When people are allowed to use the knowledge gained in practical scenarios and get to problem-solve, they tend to understand how it works and why it is needed. If they fail, e.g. gets hacked, it is important to go through how it happened and what was missing.
Encourage Critical Thinking
One way to learn information security is to encourage critical thinking. This helps the audience to analyze different security challenges from different perspectives. This promotes the competences regarding risk assessment and how to implement more effective security measures.
Emphasize Soft SkillsWhat's also important is to emphasize the importance of the soft skills related to information security. Information Security is not only about laws, regulations and security measures. It is also about communication and teamwork. If you do not communicate or work as a team you can skip the controls related to human behavior all together. It will not work anyway.
Create a Community
Last but not least, there is a great value in communities where employees can exchange knowledge and ask questions. This encourages knowledge seeking and helps to promote skills needed when working with security. An advice is to have different communities for different audiences. For example, one for security professionals where the complexity can be a bit higher and a group for the business where you talk more about the basic security.
And a little reminder for you as a teacher, stay updated. Materials and methods within this area are constantly changing and best practice can change even if it is just a sentence in a standard.
The people behind The Security Dragon have combined 25+ years of experience within the security sector.
