Make it all about them
Professionals want to constantly expand their horizons and develop their careers. Luckily for InfoSec folks, security is one of the things people want to learn about as they’re being bombarded about it from everywhere including TV news.
If you frame it right by making the subject exciting and help them truly understand the value of security awareness you’ll be surprised how eager people are to learn from you.
Lots of coworkers I interacted with had negative attitude towards security because of their past experience with rigid non-practical corporate security policies and unfriendly InfoSec specialists. Fortunately I found it doable to convert most of them into security-savvy engineers, by approaching them in a friendly manner and expecting from them only what’s practical.
Expecting from people to do stuff just for sake of doing it may be daunting task, but you can flip their attitude if you explain in details your WHY and show them how it can benefit them personally.
You can get their attention if you explain that it’s fine to make mistakes along the way as long as they progress and that learning security will make them much more attractive employees on the market.
People may not really care about corporate security but they do care a lot about their career, although it’s not obvious for them that those two zones overlap.
Regular fellows are in general curious about stuff like social engineering, smart devices and IoT insecurity so find whatever excites them and exploit it to instill security into their minds. Emphasize the fact that habits learnt by following your corporate policies may help them as well in their personal life, e.g. by catching scams like phishings meant to steal money from their bank accounts or helping them secure their home by securing the WiFi access and using strong credentials to smart home administrative panels.
While the benefits of security education are obvious for us, the key is to transfer the same awareness to our peers so they perceive security trainings as something that can be really beneficial instead of pushing them hard just to obey the corporate policies.
Never shame or blame individuals
People rarely violate security policies with malicious intent. I’ve met only a few employees who were obsessively doing stupid thing just to piss off the security team.
Mistakes usually happen because people are stressed, overloaded and tired so blaming them is just adding to the negativity bucket . Instead, try to approach each case individually and thoroughly learn about what happened in order to prevent reoccurring of the same incident.
Shaming someone for his lack of awareness is one of the best ways to kill his motivation to learn. Take at least partial responsibility for someone’s incompetence because if someone exposed the organization to severe risks, you may want to look at it as it’s an indicator that your security awareness program should be improved.
Don’t beat yourself too much either, just make sure that when failure happens, step out and be a leader capable of owning the improvement process.
Don’t forget about non techies
Meet up with sales, marketing, support and other non-techy folks to learn what tools and how do they use on daily basis so you can figure out a ways to secure them. Customer facing roles are especially endangered as they are the ones who – in order to do their job – need to constantly download unknown data from the Internet. Given the exposure, you must train them to understand the risks associated with their day to day work activities.
Most of folks sitting in soft-skills-heavy roles are very friendly and get super excited when you share with them the latest news from security world like the recent massive hack of popular smart TVs. Such discussions can be a great tool to get a feet in the door and later include subjects like network security and corporate security culture to provide actual value to the business.