#HowTo: Use Marketing Principles to Gain Employee Buy-In and Results

It has become common for companies to offer cybersecurity training to their employees. Equally common is the groan and eyeroll that employees express when they receive the dreaded email saying it’s time for that training.

Whether you are a business leader or a rank-and-file employee, we should all be able to agree that cybersecurity training is important. People at all levels tend to be vulnerable to things like phishing attacks, and 60% of the time, human error is the culprit when an organization is compromised.

If people tend to be a vulnerable vector for hackers and businesses are training them about cybersecurity, why are there still so many breaches? Something doesn’t add up. As a marketer turned cybersecurity business owner, it’s clear to me that traditional approaches to cybersecurity training have failed. Cybersecurity professionals and business leaders need to apply basic marketing principles to make their organizations safer.

#1 - Get Audience Buy-in

Security training is typically mandatory. Businesses require their employees to go through training to check a compliance box without explaining why security matters. This is essentially the “because I said so” approach, and it works about as well here as it does when I use it on my 10-year-old.

No matter how many workers undergo training to meet compliance standards, there will continue to be breaches if people don’t understand why it matters and how to respond to threats. Security leaders need to provide context about types of attacks, why they are everyone’s problem and what to do when they happen.

#2 - Don’t Force Feed Everything at Once

A savvy marketer would never send potential customers a 10-page white paper and sit back waiting for the leads to come in. If you were the customer, would that convince you to buy? Of course not.

We need to make the content easily digestible with lots of small bites. You can provide regular training sessions that go into greater depth but complement them with snack-sized sessions that employees can nibble on. Follow up bigger trainings with short quizzes and lessons to reinforce what was covered in the bigger sessions.

Send a short weekly email with one key thing to remember. Post the story of another company that was breached on Slack and discuss the lessons learned.

#3 – Test and Measure

Over the last decade or two, marketers have gotten proficient at using data to measure which tactics and strategies are most effective. They do A/B testing of different messages and content to see which land better with audiences. They analyze what social media posts get the most attention. They know which calls-to-action lead to action.

We should be doing the same thing in security. Quiz employees after training to see what they learned – and where there are still deficiencies. Follow up over time to see what knowledge is being retained and where vulnerabilities are growing. Track which video lessons are getting watched and whether they are being viewed until the end or turned off after 10 seconds. Crunch the data to see if there are trends in certain departments or roles. If 75% of the procurement department doesn’t know how to recognize a phishing email, you know they need a refresher ASAP.

#4 – Don’t Just Feed Them Broccoli

Everyone needs their vitamins, but if you only feed people food they don’t like, they’ll find something else. Even marketers promoting serious products must mix in light, fun messaging.

While cybersecurity is serious business, learning about it doesn’t have to be dull. Use interactive videos and games to make it something employees look forward to. Introduce some friendly competition to motivate them. Challenge the sales team to see if they can do better on a security quiz than the engineering team.

#5 – Optimize for Revenue, Not Leads

In other words, “optimize for results, not participation.” Participation is great, but it’s not the goal. It doesn’t matter if 100% of your employees undergo training if one of them still clicks on a phishing mail. That’s the problem with training programs designed for compliance. Your goal should be to make the organization more secure, not just get people to take the training.

With humans being such a common factor in cyber-attacks, businesses tend to view them as a weakness. Rather than put people in a position to succeed, the approach has been to accept the weakness and do the bare minimum to address it. That is a great way to ensure nothing improves. Why not learn from what has been working for marketers and apply those lessons here?

Marketing principles aren’t the magic bullet to turn a business into a security fortress, but they can go a long way to closing some of the gaps that still exist – and ultimately make everyone safer.