Do “cybersecurity awareness” campaigns have an actual impact on your organization?

1.3k views4 Comments

Head of Security and Compliance in Software, 51 - 200 employees
Cybersecurity awareness is interesting, because as much as you read and hear about cybersecurity, there is always a gap in terms of taking it seriously, applying it in your day-to-day job, and making sure that it's always a background consideration. That's how we get into all the ongoing cybersecurity issues that we see everyday.
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
We are still having the same conversations that we had 10 years ago. As a professional in the security organization, it starts with taking accountability and ownership. We are past a point in time where awareness is even acceptable. We need engagement, ownership, and accountability because we already know that the actors understand how to leverage architecture in a way that's much more advanced than what we demonstrate with consistent adherence as industry practitioners. It's almost like when we get to a security awareness October each year, it's the same conversations we had the year before. As leaders in the industry, we should say, "Enough's enough—this year we're going to target X, Y, and Z."

When I was in the Health-ISAC several years ago, as leaders in the industry, we said, "For all the members in this group, we're going to attack DMARC. You're going to hit your target, update your controls and your configuration around email management practices, and we're going to address consistency in this area.” That's what we have to do as security professionals to set a path. 
Director, Information Security in Education, 1,001 - 5,000 employees
To a degree, though at a certain point the benefit of an awareness campaign plateaus and there is also possibly an awareness fatigue.

I got into our security team as it first formed and was able to watch the first few years as our security awareness campaign had measurable, and massive, reductions in easily preventable incidents. Eventually it stopped going down and ticked back up a bit as threat actors changed tactics and people tuned out our communications
Director of IT in Software, 201 - 500 employees
These have been very helpfull for us and they certainly help. As an organization, we have seen a dramatic decrease in successful fishing attacks after running cybersecurity awareness campaigns.

In a general sense, October as cybersecurity month remind a lot of companies to run awareness campaign, that reminded their employees to be vigilant, not click on email links from unknown senders etc. Over the years this has been perhaps less effective as the threat actors adapted new more sophisticated methods, but in my opinion humans (employees) are still the weakest link so cybersecurity awareness campaigns are beneficial.

Content you might like

Talent Retention33%

Talent Attraction48%

Upskilling talent to do more with less12%

Efficient Operations / Better Customer Service Delivery6%

Other – please specify0%


670 views1 Upvote

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
41k views131 Upvotes319 Comments