In this article, we discuss how to develop security maturity in 30 days or less using an activation approach.


Have you seen the Netflix special in which British comedian, Michael McIntyre, talks about passwords at the London Palladium? He has the audience in stitches. Why? Because he relates how most people feel their password choices are unique and secure, when in fact they are entirely predictable. 

It's a stark reminder. It's so easy to lull ourselves into a false sense of security. It's so easy to remain oblivious to our default choices and behaviors. So easy to remain completely insecure, leaving ourselves and our organizations vulnerable to cyberattack. The best defense against attack is to keep security at the forefront of your organization. But how?

It may seem daunting. However, with the proper guidance, time, and practice, we can all master just about anything. And the same principle applies to generating a security mindset. At the outset, it might seem like it'll take a long time to develop, but with the correct recipe and the right ingredients, you might be surprised at just how fast you can actually manage it. 

In this article, we'll discuss how you can get your team to adopt security behaviors easily by using the principles of activation – which are action, follow-through, reflection, and insight sharing. 

Accept that it's an ongoing process

In the same way that maintaining health or fitness takes consistent work, refining and improving security behavior is also an ongoing process. 

Chris Romeo might have put it best when he said, "A sustainable security culture is bigger than just a single event. When a security culture is sustainable, it transforms security from a one-time event into a lifecycle that generates security returns forever."

So, rather than simply 'checking the box' by getting your InfoSec training done in a few hours or days once a year, it's better to space it out and make it action-oriented. Fundamental change is possible by getting a lot of people to take small actions every day, and this kind of approach makes the challenge seem smaller and more doable for your busy team. 

Creating a security-first culture might seem daunting at first. And it's tempting to want to take the more traditional route by providing information and hoping that people will act on it. But this method seldom works. That's because the real key to sustainable behavior change is to provide your team with all the right ingredients to increase the likelihood of them adopting the desired behavior. With that in mind, let's take a look at how you can activate behavior change in your employees. 

Get your team to take action

The first step towards generating a security mindset is through consistent action.  Unfortunately, cybersecurity awareness training will often tell employees what to do rather than getting them to do it themselves. It's a bit like reading a recipe but not making the meal and then still expecting dinner! 

Give your team opportunities to practice and experiment with the required behaviors several times, over several weeks, until these become second nature. 

For example, if your goal is to develop the habit of recognizing and reporting phishing emails, then your approach could look something like this:

  1. Show your team a short video on how to recognize phishing emails.
  2. Get them to complete an online quiz to test their skills.
  3. Send a phishing email every few days to your audience to see how they deal with it. 

Get your team to follow through on a task

How many times have you promised to take something on but then never gotten around to actually doing it? Now think of when you committed to a task and someone nudged you to get it done. You did it, right? 

Getting your team to follow through is your next step towards generating security maturity. Completing an action has an immediate impact on behavior. So let your team decide when to do the task by setting up auto-reminders in a calendar. Helping people to follow through on their commitment to change increases the effectiveness of learning experiences.

Get your team to reflect on the task

Now think about the last time you reflected on an event in your life. What happened? You probably viewed the experience differently, figured out what worked, and reflected on what you could have done better. Reflection is a powerful tool for learning new behaviors. That's because we don't primarily learn from our experiences, but from reflecting on our experiences. 

It's therefore essential to include opportunities for people to reflect on their tasks in any InfoSec training program, and to allow time for team members to reflect on what they have learned. During this time, ask your team members some pertinent questions that will bring the experience to the front of their minds. The purpose is to take people to the cusp of a realization where they connect the dots for themselves. Learners will relate new information to their own experiences and create new neural pathways, including adopting critical security behaviors. 

Now let's go back to the activity we mentioned earlier. Discuss these questions with your team:

  • How often would you say that you hover over links in emails to inspect them before you click on them?
  • What impact do you think clicking a malicious link could have on your personal and/or work life?
  • Tell me about a 'phishy' experience that you have had. 

Getting people to consider how hackers can use their information takes them to the edge of an aha moment. Suddenly, they perceive a gap in their thinking and can close this gap with a powerful epiphany. It's at this point that you can ask learners to share an insight.

Insights and social learning

Sharing insights is where the magic happens! Think of a time when someone asked you for help with a task or activity and you had the right knowledge or experience. The person who asked you for help probably valued your knowledge more than if they had Googled it. Also, the experience probably made you feel good because you helped someone. As humans, we need to feel connected, and we build connections by sharing our experiences. 

So crank your reflection time up a notch and ask your whole team to share their reflections with other colleagues. Discussing and expanding on each others' shared insights adds a social layer to learning, with peer learning driving group cohesion. Social learning also cultivates the sense that 'we are all in this together', which is a powerful way to cement your security-first culture. 

Final thoughts

How long does it take to generate a security mindset? If you sign up for our neuroscience-based approach to InfoSec training, you could develop security maturity in 30 days or less. Want to try it out for yourself? Sign up here for a free trial.