Making Cybersecurity Communication Effective

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone. I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I have the pleasure of talking with

Marcin Ganclerz, an expert in cybersecurity awareness and

training. Marcin, welcome. It's great to have you as a guest on

the show today. Thanks for making time to share your

thoughts and perspectives with listeners. To get the ball

rolling Marcin, how about share with listeners a bit about your

professional and cybersecurity journey.

Hello, Dave, thank you so much for having me

on. It's great to be to be here. My cybersecurity journey is

quite interesting and unusual. Because I'm a former journalist.

I worked at the Polish public television for eight years. And

one day I had to prepare a TV material about phishing attack.

It was about a man who lost all of his money, because cyber

criminals broke into his bank account. It was a time when

phishing attacks weren't so common in Poland. So as a

journalist, I started searching for information about phishing

attack, how they looks like, what are the consequences of the

attack, what are the techniques, I had to record some experts.

And that's how I found cybersecurity is very

interesting. And after I had finished this material, I

started reading about cybersecurity, following some

experts. And that's how I became cybersecurity passionate. A few

a few years later, I saw that the biggest bank in Poland was

searching for a person responsible for building

cybersecurity program for clients and employees. And I

came to conclusion that it's the best time for me to dive into

this cybersecurity world. I got this job. And that's how I be

became a Cybersecurity Awareness expert.

Fantastic, what a great, great story.

Marcin, you have a lot of experience a lot of interesting

stories probably to share with the listeners. How about we

start with some challenges and hurdles that are associated with

effective cybersecurity communication.

No problem. I think one of the biggest problem

is that, for many organization, cybersecurity is not a priority.

So they prefer to invest in some security tools, software,

rather, rather than invest in this human operating system.

They don't want to spend the money for educating employees. I

like this meme. Probably, you know, it and our listeners also,

security budget before and after the breach. I think it's the

same with education. Yeah. So if you don't have if it's not a

priority for the organization, it's hard to educate employees.

They don't see this communication. Another thing is

there's that huge gap on the market. I mean, there is no a

lot of there aren't a lot of technical, no, not technical,

experts who are specialized in cybersecurity awareness. Usually

in the organization, the person who is responsible for educating

employees and for cybersecurity awareness is information

security specialists or technical experts with the

technical knowledge And I think the problem with them is that

they don't know how to communicate. The technical

experts suffer from curse of knowledge. So for them,

everything is simple. I can tell you a great example. Once I had

to write an article about passwords, and when I was

writing this article, one of the director came to me and said,

Hey, you should write about passwords entropy. And I look at

him and ask, how many people know what the entropy is? And

the answer was silence. Because it's a great example how most of

technical experts think; for him, it was obvious what is

entropy? For most of the users, cyber, cyber security is scary,

confusing, intimidating, they don't understand it. Next

example. When we say employees about how to create password, we

will say them hey, it should have at least 12 characters,

uppercase, lowercase, special characters, numbers, and you

should change it every 90 days. And what's more, you cannot have

the same password on other portal or services. Is it

simple? No, for the users, it's really hard to do it. I prefer

to say, say them hey use Password Manager.

And,

and the last problem, I think, is budget. So

if you want to create attractive, immersive

communication, you need money. If you want to prepare elearning

or webinar for your employees, attractive video games, and so

on, you need money. If you don't have money, it's hard to do

something constructive. It's possible, but it's more

difficult. So I think that these are the most important

challenges for building effective communication

makes a lot of sense. I'm glad you touched

upon a very key area. The challenge lies in finding those

people who know enough about the phenomenon, have reasonable

technical awareness and have the ability to communicate in plain

and simple language. As you know, the cybersecurity

phenomenon is very complicated. With so many terms,

terminologies, and jargons. The best thing that could happen to

enhancing awareness is to try and simplify the message. One of

the primary reasons for doing this podcast Marcin is to make

the cybersecurity conversation more mainstream. And I'm so glad

that you have joined me in this discussion. So moving along,

what would you consider to be the key elements or attributes

of effective cyber communication?

I think one of the most important thing is to

show people why this is so important. It's a great TED Talk

by Simon Sinek 'Start with Why.' And we should show employees,

show users, why cybersecurity is so important for them. And I

think the best way to do it is to show them that it applies to

their personal life. So, here and there, I mean here at your

work and there at your home, threats are the same

cybercriminals don't look if it's your personal or business

email, they have they have all of these addresses and send the

campaign to all of all their addresses they they have. So we

should persuade employees that everything you learn at your

work will help you to be safer at your personal life. You can a

job and at home. We shopping banking online, we have mobile

devices. But at home you don't have a whole cybersecurity

security department that can help you to protect against this

kind of threat. So we have to arm employees with tools and the

best tool is knowledge, knowledge, how the attack looks

like, how to recognize them and how to react on them. So by

doing it, we creating them as we will make them as a great

cybersecurity agents who can help protect our company. And

they will be safer, safer at home. The next thing is that

cyber security communication should be simple, immersive,

attractive, permanent, multi channel, we cannot only release

once only for new employees, and you cybersecurity training. And

of course, we will be comply with some regulations. But it

won't change anything. If we do a training once for a few years,

it won't change anything. So we have to send them a message

every month every week in different channels. Because

there are a lot of channels in the organization. Of course,

every every cybersecurity communication program and

awareness program should be adjusted to the organization,

it's easier to communicate in a small company, when you have 20

employees, and they are all on the same floor. It's much harder

to do it in a global organization, when you have when

you have to have security changes and so on. So, um, but I

want to give you an example, for when we, when we write an

article, what is the most important part of this headline?

If headline is not attractive, people won't read it. So how,

how a lot of people write articles, and headlines. For

example, don't click on a suspicious link. Is it catchy,

it's not, probably most of the people won't read it. Instead of

that you can write 'One Click Is Enough To Allow Someone To Steal

Your Money.' And this headline will encourage people to go

deeper to this article, to click on it and read more about cyber

security. What else, we should also tell people the story, not

only the information about cybersecurity, we should show

them the whole context. So why cyber criminals do it, how they

do it, and what can be the consequences of the attack. If

you have

a template and you are limited to the words, it's hard to

explain cybersecurity in 200 300 words. Because sometimes in your

organization, communication looks like that. So you have to

tell people the story. And you also have to show them how the

attacks looks like. You can record a video of the example of

the attack for what will happen after connecting malicious USB

device to your laptop. If you don't have technical experts who

can do it for you, you can also buy an external vendor for you.

But as I mentioned before, you have to have a budget to do it.

In fact, I want to re emphasize a statement

you made, which is so compelling. You said the

communication should be attractive, should be immersive

and should be simple. I couldn't agree with you more. You have to

get people to recognize why they need to be aware of different

types of attacks, the consequences, and how does that

relate to the work they do, the consequences, because at the end

of the day, you know, everybody is not thinking about

cybersecurity effectiveness, like some are. So the

recognition that we need to make it more relatable cannot be

overemphasized. And that brings up another point that you made.

And I'm going to couch it a little differently. What we

can't have is a one-size-fit-all approach. Neither can we have

the check-the-box approach. Okay, there was a compliance

requirement. You mentioned the word template, here is the

template let's send it out to everybody. Communication is

complete. That's not well done. At the end of the day, I think

it's all about how, how genuine is the intent to communicate

effectively, and what mechanisms are in place to assess whether

the recipient has really received your message. And once

again, talking about receiving the message, being relatable,

what that brings to mind is the importance of making sure the

message is customized, making sure the message is targeted,

making sure the message is personalized. Let's say I am

performing a certain role in an organization. If you would align

the security posture, security measures, the security best

practices that I need to be conscious of while I perform the

role, that would be so much more relatable, I'll be able to

assimilate that assimilate that so much better than if I'm

looking at a one page long email with all kinds of do's and

don'ts. And like you said, you know, those kinds of emails we

all receive in organizations, we tend to look over them. Because

often the titles are not catchy, the message is too long. And I

have a natural tendency to look at an email and the first

question I asked myself, is it for me? Or is it for the masses.

If it's for the masses, that gets a lower priority. So that

level of consciousness, that recognition is important, and

yes, it does require organizations to go the extra

distance. You talked about budget, absolutely. And anything

else that needs to be done, whether it's from a governance

standpoint, from a procedural standpoint, those steps have to

be taken. Because we cannot emphasize enough the importance

of effective communication. So let's go along this direction

and talk about some best practices or guiding principles

that you see out there.

First of all, as you mentioned, we should

divide, and we should think, what groups do we have within

the organization and tailor the training for them. It's hard to

prepare a different communication for different

groups, in my opinion, it's better to prepare for them

targeted training. I have delivered dozens of this kind of

training at my previous job at PKO Bank Polski, the biggest

bank in Poland. So, for example, when

employees,

at the branch centers, have different needs

that employees both working on the call center, or assistance

of the directors or the executive. So the best way I

think, is to prepare an online training for them. Of course, as

I mentioned, it's easier in a smaller organization, it's hard

to solve a big organization who has 200,000 employees, but it's

possible. I think the best way to educate employees is contact

one on one even on Zoom or other platform like teams and and so

on, because you have an hour more than hour, I think an hour

it's enough to explain them. Why this is so important. Show them

what are the most important rules within an organization.

For example, at PKO Bank we created 10 cybersecurity rules

for employees and clients. And when you have these kind of

rules, it's easier to promote them and basing on them and

educate your your employees. What's more, what is important

Well, I think we should concentrate on building the

human firewall. So show employees that they are

important part of the cybersecurity system, and if

they have distilled this knowledge, they will help us

protect our organization. I think the problem is that many

organization, many companies tend to treat employees as risks

as the weakest link. And they use all of this terminology,

that suggests they don't actually have the power to be a

strong security agent. When we want to protect our

organization, we don't need the weakest link, we need strong

link. And when we see people as a strong link, they act as a

strong link. When you use this terminology, risk, the weakest

link, it's this pep cuts, I mean, problem exists between

keyboard and chair. So this is how most technical experts see

the role of the users, they that they are not the weakest link,

that they are the primary attack vector. They can be valuable

assets for the organization, but we have to educate them, train

them, and reward them. I heard a lot of stories when people

reported a phishing email. And they don't even receive an email

a feedback, if it's was a phishing or not a phishing. So

if you want to build the great culture in your organization,

you have to reward your employees, show them that they

are important. Of course, of course, there are many ways to

do it, and we can spend hours talking about it. We don't have

so much time, but um, you should think and concentrate and show

them every communication, prepare in videos, podcasts,

webinars, on your internet, show them why the role is so

important. You have elearning show them the role in this

elearning you have articles, show them in articles. I think I

think it's, it's important, because when you have this

culture of fear, so when employees don't want to report

any suspicious email, they are afraid of making mistakes,

because you blame them for the mistake. They make mistakes,

they are humans, we all make mistakes. And if they don't

understand cybersecurity, concentrate on educating them,

show them why this is so important that it's not so

difficult. But you have to do it in a simple and understandable

way. When you use a lot of fancy words, and acronyms, they don't

understand, they won't understand it.

I'd love to jump in here. Because you're

saying stuff that's getting me all excited and passionate. And

the one thing I'd like to say here is don't let jargons be the

great digital divide. Don't let terms terminologies, acronyms

come in the way of connecting the entire organization and

getting them on board. And getting them on the same page,

when it comes to understanding the challenges and how to deal

with them. You put it so well when you said employees or

people treat them as the strongest link. There's a

difference between being the biggest target and being the

strongest link. And that distinction needs to be made.

And I'm sure you will agree from your life experiences. And I've

seen enough to conclude that the more you have confidence in

people, the more you're willing to trust them, the more you're

willing to empower them with training, they will rise to the

occasion. You know, in one of my earlier podcasts, I had the CEO

of a major corporation make a very telling comment. He said,

Dave, people come to work because they want to make a

difference. They come to work because they would like to do

something great. And that's the kind of mindset that

organizations need to have. That's the kind of mindset that

would create and sustain what I call in my book, the

High-Performance Information Security Culture. To be able to

create and sustain that culture, people continue to be the most

important factor. How how you motivate them, how you empower

them, that's the challenge. But it's a great challenge to have.

And we have enough tools, enough guidelines to make those things

happen. The intent needs to be there, the recognition needs to

be there. And I'm so glad that you're sharing these wonderful

examples with listeners to enhance that level of awareness.

So Marcin, while we were having our prep discussion, you said

something very interesting that stayed with me. You said, the

education about cybersecurity should be permanent. Tell us a

little more about that. What,

why it should be permanent, because threats

are changing every day. And that is one one thing. So three years

ago, we have had different threats. And next years,

probably we will have different. So it's one thing and the other

is that when you as I mentioned before, when you release your

training, obbligatory training only for new employees, and they

completed it. The education is not finished. You have to

continue reinforce your education reinforce this role in

different channels in the organization. We learn a whole

life, it's the same of cybersecurity. If you only

release your one training, and you think it's not enough, it

isn't enough. You have to have different tools, different

actions, influence people, what is the most important in

cybersecurity education, changing human behavior? If you

click on the link, what we have to do is to change this this

behavior, and how can we do it? We need this BJ Fogg behavior

model. And we need three things. Employees, users, should be

motivated. They need to have ability, and prompt or trigger.

And when we have these three elements at the same time, you

can change human behavior, of course, so we have to motivate

them, how? Show them why start to fly, why this is so important

for you. Of course, we have to build the ability, or maybe they

have this ability. And we need a prompt, a trigger. And this

communication can be a trigger attractive video with a simple

message for them. Video don't have to be very long, especially

in social media, people usually concentrate on the first five,

six seconds. So the most important information should be

included in this first five, six seconds, or you cannot prepare

10 Minutes video about cybersecurity. Let's do it in

one minute. It's enough to insert them the more they're the

most important information. You can create a newsletter for

employees with the most important information and send

them it once a month, once a week. Think about external

experts invite someone to your company who can share the

knowledge with your employees. And what's more, you need to do

it you need the right people. That's why the trend on the

market is that people companies are searching for people not

with technical knowledge, but with communication public

relation and marketing background. Because all you have

to do is find a way to promote your program to promote the

cybersecurity rules, how to do it, how to influence people, how

to encourage them, how to change the behavior. And I think most

technical experts don't know how to do it.

You know, one of the best practices that I

came across in an organization is their approach of incremental

learning. Almost every day, an email goes out to the inboxes,

with one message with maybe one learning item. So their approach

is that we want the cybersecurity education and

training to be continuous, to be reinforced; instead of giving

them, you know, giving it to them all at once in huge chunks,

let's give it to them in small incremental amounts and make it

let's make it around the year, a daily activity. So then it's

it's becoming institutionalized. It's becoming part of the

organizational DNA, the organizational best practices.

Another point that you made, and I want to re emphasize that, and

it goes back to what we were talking about making the

educational experience the training experience, as

immersive as hands on as possible. Bottom line, can we

make it fun? Can we make it interesting? whether it's by

showing little video clips, or whether it's by hosting some

workshops, where scenes are enacted, about the consequences

of what happens, or about how an employee or a set of employees

were able to save the company from a certain attack, sharing

those in the form of stories, but in a dramatic fashion, that

would get the attention of the people. In other words, one has

to get creative about how you want to communicate what you

want to communicate, some thought needs to go into it.

Let's not let's get past the the template based approach that you

talked about, let's get creative. Every company has

probably a relatively unique culture, they have a better

understanding of what would go well with their employees. So

they should accordingly customize their communication,

as opposed to just hiring an expert from outside and having

them run the show nothing against experts. I respect

experts. And I'm sure experts bring a lot of experience

working across industries across firms. But an organization still

needs to have oversight still needs to make sure that they are

working in partnership with the expert to provide the training

that is appropriate for their people. So that's kind of the

way I think we will make progress. Because, as you know,

effective communication is so critical, whether it's getting

employee buy in whether it's getting the buy in of the

leadership, whether it's trying to convince people about not

doing something of not engaging in a certain act. Unless we have

a good way of getting the message across. We are unlikely

to achieve what you just said. The change in behavior.

I can tell you interesting story, please one of

the elearning program, I prepared my previous job. So

when I came there, I realized that existing elearning was

boring. It was 20 slides with a lot of information about

policies, standards and so on, which you had to do, but it

wasn't interesting. And my main idea was we have to change it.

And we prepared a new elearning experts it's not a secret it was

Paula Januszkiewicz, CEO of the CQURE. You can find about it on

my LinkedIn profile. And we started from promoting this

learning, show employees, hey, something new is coming. And we

organized an event. We're involved to this one of the C

level executives, because if you need this culture of enablement,

it should start with the highest level in the organization.

Because one of Robert Cialdini principles of persuasion is

authority. So, if people, employees see that cybersecurity

education, cybersecurity training is important for our

CEO, board member, and so on, it should also be important for me

imagine the situation, then you receive an email about mandatory

training from corporate address, and you receive an email about

mandatory training from one of the board member. Of course, if

you receive an email from board member about mandatory training

from agree you will do it the same day. And But coming back to

the story, so we organized an event. During this event, we

told employees what will be in your in this eLearning program,

when we are going to launch it. And I can tell when it was a

huge program. So we divided this program, to 10 different

modules. And I can tell you that after we released this first

module, and the second module, I received a lot of emails from

employees with the information that it was the best elearning

they have ever seen. Because we show them why, we show them how

the attacks look like what are the consequences of the attack.

And this eLearning program was immersive, because you don't

people prefer watch than read. So we concentrated on videos

materials, so you could sit and watch something interesting

about cybersecurity. And, and yes, I think it's it's important

to start from this interesting elearning program, and show them

why this is so important for them. And what's more, after I

have received all these emails, I came to idea that let's use

it, and I asked this employees, Hey, can I prepare a video with

you? So you can say What's your opinion about this eLearning

because we want to promote this learning within their

organization and they agreed. So I recorded them. I don't I

didn't need the budget. Because I did it on Teams. I recorded a

video with them, with four employees. So I also used the

opinion to build the cybersecurity communication.

That's an excellent point. In fact, you

made several you share some excellent examples. One thing

that comes to mind relating to what you just said, if you can

build that peer group, in fact, this particular educational

institution, they have created what they called the Champions

Network. The Champions network comprises of folks who are

willing to champion the cause of cybersecurity. So I'm thinking

an organization can create a Champions Network, people who

will focus on effective Cybersecurity Communications.

And each of these folks serve as influencers. They serve as a hub

who can promote the message more effectively to their group. You

mentioned the challenges of achieving these effective

communication goals in large organizations. And I believe by

creating networks of people, of trained people, people who are

passionate, people who are influencers, who have the

ability to be very compelling. Use these networks to spread the

word. So it doesn't have to be like a message coming from the

top being sent to everybody. I think the approach should be

more distributed. And that's how it will take on a life of its

own, it will gather momentum, and then you will see a

groundswell. You will see a bottom up approach where

everybody is a conduit is a source of how to effectively

communicate or share something relating to good cyber practice.

And that's the way I believe the overall communication

effectiveness can be achieved, which in turn, could lead to

creating a high performance information security culture.

Well, Marcin, this discussion is so interesting. I want to keep

going. However, we have some time constraints. So I'd like to

ask you to start wrapping this up for us by sharing some key

messages, some final thoughts, whatever you'd like to share

with the listeners

Concentrate on building culture of enablement

in your organization, rather than culture of fear, because

everything starts from culture in the organization. When you

have this culture of enablement, people, people love to feel

valued. They want to be the important part of cybersecurity

system. If you have the right culture, they will feel

responsible for cybersecurity, they will feel as a vital part

of the cybersecurity system and they can be your really valuable

asset. But remember, you have to educate them, train them and

reward them, not blame them. Because if you have this culture

of fear, if you blame your employees for mistakes, they

won't be an important part of your cybersecurity system. Yes,

they will really be a risk. All you need in the in your

organization is make your employees the strong link. The

important part of your organization are your employees

with tool and the main tool is knowledge knowledge, how to

react, how to react to the attack, how to recognize them.

And remember that cybersecurity, communication education should

be permanent, should be simple, and understandable. Multichannel

distinctive. Remember that you have to change human behavior.

Without changing human behavior, they won't be great agents. If

they make mistake, find a way how to change it. And I think

that's, that's the most important part and start with

why show them why this is so important. And the best way to

do it is how cybersecurity applies to the personal life.

Because attacks here and there are the same but at home you

don't have cybersecurity experts, technical experts, tool

and expensive software that can help you protecting yourself and

and your your family and find a way to involve in your program.

C level executives show employees that cybersecurity is

important for all the people within the organization not only

for employees and prepare an attractive, immersive

communications communication awareness program in different

channels in the organization. You have webinars, podcasts,

videos, emails, newsletters, elearning a lot. You can create

a Cybersecurity Day, a Cybersecurity Awareness Month,

you can prepare for them targeted training, online

training. You have a lot of different tools which you can

use to build this this cybersecurity awareness. And

don't afraid to hire someone with communication, marketing or

public relations experience, because it's easier for a person

like me to learn about cyber cybersecurity, rather, rather

rather than for technical experts to learn communication

skills.

Well, thank you so much, Marcin. That was

very, very informative. I'd like to wrap it up as well, reminding

our listeners the significance of customized, targeted,

personalized communication. Recognizing that a one-size-fit-

all approach doesn't work. There needs to be a genuine intent to

communicate effectively, and suitable assessment mechanisms

should be in place to assess communication performance. With

that we conclude our discussion for today. Thank you again.

Thank you so much.

A special thanks to Marcin Ganclerz for

his time and insights. If you liked what you heard, please

leave the podcast a rating and share it with your network. Also

subscribe to the show so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.