Who should deliver your security awareness message?
Effective security awareness depends on establishing credibility with your users. This motivates some small awareness shops to employ a high-prestige speaker to deliver their messages, “borrowing credibility” by leveraging a known logical fallacy for good aims. Unfortunately, this tactic can backfire.
Of all the voices clamouring for our attention in the cyber security world, whose do you give credence to? The CEO of a major technology company? Perhaps a scientist with a track record of peer-reviewed research? Maybe a reformed cybercriminal who decided to go straight?
Those all seem like credible sources … so long as they’re speaking from their domain of expertise. What happens, though, when a credible source opines on a subject that they know little (or even nothing!) about? Odds are good that most people will believe them.
This is the logical fallacy known as the “argument from authority” (a.k.a., an “appeal to authority,” or “argumentum ad verecundiam”). There are two common versions that cause problems for the security awareness community.
The first is having a senior leader – a person holding hierarchal authority – speak on a security subject they’re not proficient in.
The second is having a recognized authority in one subject speak on a subject outside their specialisation. In both cases, there’s a natural human tendency to assume the person speaking is trustworthy by confusing the speaker’s authority with credibility.
How is this a problem? Consider this: our function is to inform, educate, and connect with our colleagues. We use facts, examples, and analogies to help technical and non-technical users understand threats, indicators, and countermeasures. Our goal is to ensure that every user in the organisation is forearmed to successfully resist a cyber security threat. Meeting this goal is often a challenge.
According to the 2018 SANS Security Awareness Report, most organisations have fewer than four full-time employees working in the awareness field; most organisations – especially those with immature awareness programs – have only one full-time worker.
Oftentimes, when you have so few people working in a niche specialty area, a logical side-effect is that these professionals aren’t particularly high up in the corporate power structure. There’s no shame in that; it’s normal and appropriate. A function requiring only one or two people is traditionally staffed with individual contributors, not, managers, directors, or executives.
Most places that I’ve visited didn’t even have a dedicated security awareness resource. The “function” was tacked on to existing individual contributor’s workload as an “additional duty.”
That structural limitation inflicts a credibility hit on us right out the gate.
First, a message coming from an individual contributor in a small shop isn’t as likely to be consumed or acted on as one coming from an executive or other senior leader. Our messages are competing for attention and it’s appropriate that the boss’s needs get addressed first.
Second, our relatively low profile (compared to senior leadership) means less “face time” before the organisation.
Again, this makes sense. The senior leaders regularly speak to the company through broadcasts, group meetings, policy statements, etc. Small shops simply don’t have the same opportunities for exposure or brand-building.
Therefore, it seems like a smart idea to convince one of your senior leaders to deliver security awareness’s messages. When the CEO stands before the crowd and delivers a caution, everyone is going to hear it and pay attention. That sorts the credibility issue, right?
Not necessarily. If you can distil your message down to a well-tuned and catchy soundbite, then sure. You can coach your senior leader to represent your position. Their authority will lend your message the appropriate weight, which should positively influence compliance.
Yet, that’s a big “if” statement. Communications professionals know that even the best written lines can be flubbed if the speaker is distracted, interrupted, or confused. Everyone can botch a message delivery.
What’s worse, though, is when the speaker is prompted to go “off-script.” This happens when someone else – either on-stage or from the audience – asks a clarifying question or attempts to build on the crafted message.
The moment you ask your designated speaker to improvise, you’re setting them up to look foolish (for not knowing the answer) or to give incorrect information. This is a not the best to treat your trusted executive allies.
You need executive support; your program can’t survive without it. Never antagonize or alienate your senior leaders.
There are ways to mitigate this. In the U.S. Dept. of Defense Public Affairs course, we were taught how to train our senior commanders to deal with hostile media reps. We helped our speakers stay calm under fast-paced questioning, to stay on-message, and to avoid the temptation to ad lib. It’s a difficult and time-intensive process, and I don’t recommend it unless you have a strong and proficient Public Relations team to help with the prep work.
Another tactic for “borrowing” credibility is to use a recognized resident expert as your spokesperson (instead of a senior leader). Having the acclaimed and celebrated head of Project X deliver your message ought to be just as effective as having come from the CEO. The advantage to an expert, though, is that they ought to be more effective at handling those improvised remarks. Right?
Unfortunately, no. As David McRaney quipped in his book You Are Not Smart: “Those who devote their lives to the study or practice of a given idea are worth listening to when it comes to the areas of their expertise, but this doesn’t mean all their opinions are golden… If a celebrity basketball player tells you to buy a particular brand of batteries, ask yourself if the basketball player seems like an expert on electrochemical energy storage units before you take the player’s word.”
There’s an additional danger with employing subject matter experts to deliver your message: some experts can’t tolerate looking foolish. When challenged on a position that they’ve taken before an audience, such people are more likely to double-down on a weak idea rather than admit they may have misunderstood or miscommunicated. That’s not going to secure you any credibility; if anything, it undermines your message and leave your users even more vulnerable.
Your system users have enough stress in their lives already; the last thing we want to do is add to it. Security awareness’s objective is to reduce stress through confidence and competency.
Unfortunately, there’s no substitute for earning your own institutional credibility. No matter how small your awareness program is, it’s incumbent on your team to create and burnish their brand. The best way to do this is to engage the users as often as possible, as effectively as possible. Present, publish, and engage. Get out of the office and meet the users where they are; offer practical help to common problems while being friendly, encouraging, and respectful.
It’s okay to ask executives and experts to help reinforce your awareness messages; just don’t ask them to deliver your messages. The risk-versus-reward equation just isn’t worth it. Besides, it’s never polite to set your boss’s boss up to look foolish. That’s not a good way to retain a crucial ally.