IN THIS CHAPTER

Knowing the best way to talk to users

Figuring out what you want to say to users

Gauging whether users are listening

Finding a way to pay for it all

Perhaps one of my biggest frustrations is when I talk to well-meaning people who manage awareness programs and they say something like this:

“I contracted a CBT and phishing service, and I think I will phish people once a quarter, and here is my plan for which video I will push out each month. I was going to see how that goes for a few months and then figure out what else to do. What do you think?”

These questions reflect the common misunderstanding among many in the cybersecurity world that you can run a successful awareness program by throwing the proverbial spaghetti on the wall to see what sticks.

Building a security awareness program requires having strategy. CBT and phishing services are tactics. Before you start buying anything, you should know how you intend to use it, and how it fits within the overall strategy of your awareness program. So often, people get ahead ...