Security Behavior Change

I Like Naps

Robert Fly

Published on 27 September 2017

Security Behavior Change

The one good thing about your current security training?

😴 + 💤 + 😪 = 👍

Yes, through significant scientific research, I’ve identified a direct correlation between the length of standard security training and coma inducing slumber. I suspect you’ll concur; it’s a breakthrough in the research of hypersomnia.

Figure 1: Deeply researched anecdotal data

Wait… that’s not what you wanted?

It’s a sad fact today that CISOs are mostly on a spectrum of ‘unhappy’ to ‘meh’ when it comes to their security awareness programs. The employee engagement spectrum swings from disengaged to asleep. But beyond how they feel, there are real direct costs to bad training.

The simple equation looks like this:

Employee Time * Average Hourly Rate * # of Employees = LOTS OF MONEY

To put in more concrete terms, if you’ve got a one hour training, your average employee makes $50/hour (~$100,000/year), and have 10,000 employees, it ends up as:

1 (hour) * $50 * 10,000 employees = $500,000

So… you just paid $X0,000 for a training solution, with no measurable impact beyond compliance, which then cost the company another $500,000 (not even including the opportunity cost of those employees doing real work).

And you, your team, and employees didn’t even like it.

Is there another way?

I’ll cover this in detail in a future post, so I’ll keep this short and focus on a framework to think through it.

First, stop trying to evolve on what you’re doing today, iterating on bad. Step back and think, “what would success look like if my employees were my best security asset”?

Here’s the three things paramount to getting there:

Everyone needs to care

Ultimately this is about changing culture. The security strength of your organization is highly dependent on employee buy in: that security matters and that they’re part of the solution.

Right content to the right people at the right time

Stop any one size fits all education nonsense that often gets rolled out. If you know someone’s role, level, and context, deliver something that’s relevant and contextual.

Focus on outcomes

Metrics can be hard, but they’re necessary. Target the key things that matter and spend your time on those. Attendance for mandatory training is a useless metric, unless you’re an auditor.

By starting with these three principles, you’ll be on great footing for getting a people-centric security program up and going.

Less time for naps, but more time for security.

What should I do with my current training?

Sleep aids have an addressable market size of $80 billion. Massively untapped opportunity.

In all seriousness, if any of this strikes a chord with you, we’re happy to tell you more about how we actually changed security culture at Salesforce using these three tenets as core drivers of our security behavior change platform. Email me at if you want to learn more.