By Perry Carpenter, KnowBe4 Chief Evangelist and Strategy Officer.
I’m a bit of an oddball when it comes to the security awareness market in that I’ve seen it from virtually every conceivable angle. I’ve:
Over the nearly 15 years that I’ve been directly involved in building my own program, advising security leaders and vendors, or helping shape the future of KnowBe4, I’ve learned a LOT about what makes a security awareness program viable and scalable for long-term success.
In this post, I’d like to talk about one factor that many people overlook in the earliest stages of program development, but which can become extremely critical once the program kicks-off: choice.
In my former role as a Gartner analyst covering security awareness strategies, I had the honor of personally working with thousands of security leaders around the world as they built-out their awareness and behavior management programs. During that time, I was able to really get my finger on the pulse of the types of things that help security awareness program managers move from a feeling of powerlessness and frustration to feeling and knowing that they are empowered.
There are obviously a number of factors related to being a successful security awareness leader. I’m going to focus on one important factor today: the continued need for fresh, quality, and varied content.
The “Choice” factor
In my experience, no single factor makes people feel less empowered then when they feel like they have a lack of choice. I saw it all the time at Gartner – clients would call asking what the different security awareness vendors had because they felt limited by the content available with their current vendor. This was expressed in different ways. Here are seven examples:
You get the picture. In fact, the number one reason that a customer will decide to evaluate other security awareness vendors is frustration with the limitations of their content library. In other words: content variety and choice matter.
For this reason, I always recommended that vendors within the security awareness market offer an “all you can eat” licensing model so that clients will feel the freedom that comes from being able to adapt their content choices as the needs of their program change. I also advised vendors to offer multiple ‘flavors’ and ‘lengths’ of content for the same reason. Doing so reduces unneeded stress and addresses a TON of potentially unforeseen future-arising needs. Choice equals freedom.
Learning from other industries
I’ve always seen security awareness training as a multidisciplinary art that draws from the fields of marketing, design, journalism, entertainment, cognitive science, behavioral economics, and more. We need to understand how people naturally think, behave, express preferences, make choices, and adopt new beliefs if we ever want to be effective in shaping their security-related thoughts and actions.
The biggest problem with the security industry is that we always think we are unique, and so we tend to try to create things without first learning from how other industries have approached similar issues.
I’ve been a big fan of Malcolm Gladwell’s writing and speaking ever since I read his book “The Tipping Point;” and I remember back sometime in the 2004 – 2006 timeframe watching his TED Talk titled, “Choice, Happiness, and Spaghetti Sauce,” where he told the story of Howard Moskowitz, a “food consultant and psychophysicist who has worked with Pepsi and Campbells Soup, among others, pioneered the idea ‘intermarket variability’ — creating many different types of a product to appeal to as many different tastes as possible.”
(https://www.youtube.com/watch?v=iIiAAhUeR6Y)
I encourage you to watch the TED Talk and also read an interview or two where he describes Moskowitz’s approach. Here’s a snippet from an interview with ABC related to education:
"People were who were in the spaghetti business thought there was such a thing as the perfect spaghetti sauce. He was the one who disabused them of that."
Moskowitz, Gladwell says, believed a company producing spaghetti sauce should be trying to understand all the different dimensions of human taste and catering to them.
"How many people out there like there spaghetti sauce thick and chunky? How many like it spicy? How many like it heavy on the meat? How many like it thin, like classic Italian spaghetti sauce, which is very finely grained?" he asked.
"He educated that world about the width and depth of human difference."
As you look at the success of Moskowitz’s clients after taking his advice, it is clear that he was right. One of his mantras with any company he was working with was, “There is no perfect _____ only perfect _______s.” For instance:
Media companies know this as well. Netflix has a ton of variety, but they know that you are only interested in a subset of that. YouTube has a ton of variety, but you self-select the content that you like. The Internet has hundreds of millions of websites, but you self-select the websites that you need based on your preferences and the contexts of life that you are in.
Shouldn’t security awareness content be the same way? When selecting a security awareness vendor’s content, you need to think about these things:
The KnowBe4 Mission: Empowering Security Awareness Leaders through Choice and Relevance
I realize this is a lot to digest right now. But I wanted to give you a glimpse into why we believe that our creation and continual curation of the world’s largest security awareness library is just what you need. Our Diamond package gives “all you can eat” access to this library for a fraction of the cost that most vendors charge for extremely limited sets of content.
With Diamond you get always fresh content, included in the price. You get a great variety of choice—almost like Netflix—so you can customize as needed to fit different departmental needs, learning styles, compliance needs, or address unforeseen needs for new content.
Given the continued changing landscape of security threats from social engineering, security awareness training is crucial as it gives your organization that needed last line of defense, the human. As each organization has a different culture and maturity level for their awareness programs, it is important to have a variety of materials, to help keep employees on their toes with security top of mind. Our continued commitment is to provide the world’s largest and most complete set of globally relevant security awareness materials.
The KnowBe4 ModStore: Always fresh, always relevant, continually growing
As one example, KnowBe4 recently partnered with Twist & Shout, makers of highly entertaining security awareness films for businesses. Their “Restricted Intelligence” series is highly regarded and being used by many of the largest brands on the planet. And their content has won awards in both the security industry and the communications world.
The videos cover a wide range of social engineering tactics employed by cyber criminals, including 13 modules now available to KnowBe4 customers as part of its diamond-level package. Season 1 video modules will have 32 languages by the end of October.
We added the Twist & Shout training modules to the Diamond level in the ModStore at no extra cost. You can check them out immediately in the KnowBe4 Modstore, no need to talk to anyone. Go to the Search Filters (top right) and in the Publishers section choose Twist & Shout.
Not a customer yet? You can still take a look at the Twist & Shout videos. Fill out the form and get immediate access to preview this and all the content from KnowBe4:
Or, cut & paste this link in your browser: https://www.knowbe4.com/training-preview