9 Ideas for Cyber Security Awareness Month
If you own, run, or work at any sized company–with the threat landscape today, you should be thinking about the company's cyber security strategy....
But I’m gonna let you in on a little secret; I’ve formed a little hobby of my own: collecting egregiously bad internal/enterprise IT communications emails.
Yes, it’s a very exclusive club, and yes, I’m very cool.
The tough part is that many are from the good folk in information security.
Today, I received a (fully scraped and anonymized, of course) example of a recurring, but unfortunate email. The topic? The rollout of a new IT security awareness program. Brilliant! Christmas has come early. Let the criticism commence...
Now, before I whip out the red marker, I’d like to deliver a hearty kudos to the IT security team for including an awareness program, and using words like “culture” in the same sentence as “cyber security.” (Seriously, it’s crazy how rare those words are used in the IT collective). It is noteworthy and a strong few steps forward on the journey towards a people and cultural approach to cyber security.
BUT, (and here comes my red marker) mature and advanced programs (re: SANS 2021 Awareness Benchmark Report) spend more time and have greater skills in communicating well to (and with!) those pesky humans at your organization.
So, what irked me with the forwarded communication I received? Total supersaturation of one of the best (and arguably, an embodiment of America) types of punctuation- the illustrious exclamation point. It was liberally spread throughout the announcement, as though it was a dare to see how many they could implement.
Why am I so hellbent on coming face-to-face with the line and dotted beast? Because, believe it or not, the exclamation point can be used to display a plethora of emotions, not just excitement. It’s also the easy way out for the writer to convey their emotion, which mostly, if not always, tends to make it fall flat.
Don’t believe me? Here are a few examples from the email:
Yes, there were two exclamation points. You immediately got that sour taste in your mouth, didn’t you?
NOTE: The only time you’re allowed to use two is if you’re telling your friend “Let’s go see Fast and the Furious!!”
It’s clear the writer is trying (keyword: trying) to get the audience jazzed- but if read the wrong way, could this be seen as threatening? I mean, Infosec communications never sound like that, do they? *Cough cough*
Seriously, they won’t. They’re speaking to an empty room and they know it, but they’re hiding behind the exclamation point.
I get it, the Infosecurity Manager at this company was trying to convey excitement, and encourage end-users to embrace security awareness- (yay for Governance?) but the art of rhetoric is about understanding your audience to create a compelling argument, not putting your faith towards unstable punctuation. Placing myself in the ‘average end users’ shoes while reading the email- I felt about as useless as an Oxford comma.
Rhetoric (Noun): the art of discourse, wherein a writer or speaker strives to inform, persuade, or motivate particular audiences in specific situations.
What makes it work? Well, about all of Infosec, I think we have enough Spock, and we need to work on our inner Kirk.
Here are 5 things to consider when drafting your next IT Security Communication Asset:
Take advantage of the word “Rhetoric.” And hey, give the period a chance, will ya?
Here at Cyber Maniacs, we know how hard it is to get people excited about Information Security, but wanna know our secret? We love the challenge. It’s kind of our thing.
We freely admit that communication is like cutting down a tree with a fish. Messaging and marketing and getting your voice heard and understood is ridiculously hard. Why do you think companies spend billions of dollars marketing to all of us as consumers? Why is there an entire industry focused on getting our attention and shoving info into our brains about their products? If it was easy getting humans to listen to you- then anyone could do it.
We believe in a guilt-free zone- it’s not IT or Information Security’s fault (to date almost no one I’ve met in these functions has ever had formal marketing training. Maybe some comms, but nothing that is deep or cutting edge).
Excitement for you is not necessarily excitement for them. *Ahem* Remember my exclamation point rant? *ahem*
Last, but not least (and watch me use this exclamation point properly):
I want YOU to be excited.
Good luck, live long, & prosper.
If you own, run, or work at any sized company–with the threat landscape today, you should be thinking about the company's cyber security strategy....
10 min read
Ransomware Attack Vectors Just like an ex breaking your heart before ransomware can lock up your computer, it needs to get inside. While ransomware...
4 min read
Aon's Cyber Solutions combines digital risk management services, Professional Risk Solutions and their Global Risk Consulting Practice. They recently...
5 min read