Approach to introducing a new solution
Enforce or encourage?
People responsible for cyber security are often left with a dilemma how to properly introduce and communicate the newly selected solution to the organisation.
NordLayer prepared a guide to better understand the two most prominent approaches: A) enforcing or B) encouraging the use of new solutions.
While both approaches have positives and negatives NordLayer provides an overview of both potential roadmaps and presents how each journey could look like. The main differences lie in timing and motivational outcome: enforcing the solution might be faster, but the engagement with the service probably will be lower by the end users.
Two approaches to introduce new solution
Encourage with enforcing elements
Enforce with encouraging elements
Enforcing the solution in the organization might result in a faster implementation process, however, with lower employee motivation.
Encouraging employees to use new cyber security tools might be a slower-paced process but will likely result in continuous use with higher motivation.
01
02
Enforcing roadmap with encouraging elements
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Optional: assessment
Continuous training and incentives
Work with senior management to develop a strategy that blends your security awareness program with your existing corporate culture.
Onboarding process
Testing and feedback
Enforce
Leadership should act as champions for the programme and lead by example thereby influencing the staff’s behaviour towards the programme.
Enforce
You can not force anyone to absorb knowledge they don’t want to, so try to approach “mandatory” with an inspirational perspective.
Enforce
It is important to test your employees on what they have learned in cyber security awareness trainings and how well can they apply the knowledge.
Encourage
Security incidents should be treated as learning opportunities rather than cause for punishment. If users worry they will be blamed or reprimanded, they will be far less likely to report them.
Encourage
Training your team on security awareness is an essential part of a successful security program. New employee onboarding is best time to introduce your staff to your security best practices.
Enforce
Over time, it is important to test your employees on what they have learned and confirm if they are still following cybersecurity best practices.
Encourage
01
02
03
04
05
06
07
C-level management inclusion
Cyber security trainings
Optional: assessment
Selecting cybersecurity approach
Continuous training and incentives
Onboarding process
Testing and feedback
Work with senior management to develop a strategy that blends your security awareness program with your existing corporate culture.
Key considerations include your industry, workforce demographics, and what’s relevant to different locations, departments, and roles.
Task list
Choose the tools and solutions that will be implemented
Consider different cyber security approaches that would be the most applicable to your organisation
How?
ENFORCE
C-level management inclusion
Cyber security trainings
Optional: assessment
Selecting cybersecurity approach
Continuous training and incentives
Onboarding process
Testing and feedback
C-suite is 50 times more likely to be targeted than an average employee.
Leadership should act as champions for the programme and lead by example thereby influencing the staff’s behaviour towards the programme.
Task list
Prepare for management meeting to showcase business value
Define how you will be measuring success of the trainings and / or the tool
Onboard management to use the tools themselves
50 times
ENFORCE
The C-suite poses a greater cyber risk to an organization's security posture.
Leaders
C-level management inclusion
Cyber security trainings
Optional: assessment
Selecting cybersecurity approach
Continuous training and incentives
Onboarding process
Testing and feedback
You can’t force anyone to absorb knowledge they don’t want to, so try to approach “mandatory” with an inspirational perspective.
Task list
Develop a course for employees or consider external training partner
Prepare for a meeting with the human resources (HR) department which is responsible for explaining and enforcing employee policies / chosen approaches
How?
ENFORCE
Employees complete courses at a much higher rate if they're motivated and engaged.
C-level management inclusion
Cyber security trainings
Optional: assessment
Selecting cybersecurity approach
Continuous training and incentives
Onboarding process
Testing and feedback
Over time, it’s important to test your employees on what they have learned and confirm they are still following cybersecurity best practices.
Task list
Decide if assessment should be used after the training, later to assess the knowledge gained over time
Choose the best solution for assessment for your organisation: be it a survey, phishing simulations or gamification
Why?
ENCOURAGE
C-level management inclusion
Cyber security trainings
Optional: assessment
Selecting cybersecurity approach
Continuous training and incentives
Onboarding process
Testing and feedback
Security incidents should be treated as learning opportunities rather than cause for punishment.
Task list
Create incentives program how to encourage employees to collaborate and learn more effectively
Consider how often the trainings should be repeated
How?
If users worry they will be blamed, reprimanded, or even fired for security-related mistakes, they’ll be far less likely to report them.
ENCOURAGE
C-level management inclusion
Cyber security trainings
Optional: assessment
Selecting cybersecurity approach
Continuous training and incentives
Onboarding process
Testing and feedback
Cyber security training as part of onboarding process for new employees. Training your team on security awareness is an essential part of a successful security program.
Task list
Add cybersecurity training to the onboarding process
Prepare for meeting with HR to introduce cybersecurity as part of onboarding process
Onboarding
ENFORCE
New employee onboarding is an optimal time to introduce your staff to your security best practices.
C-level management inclusion
Cyber security trainings
Optional: assessment
Selecting cybersecurity approach
Continuous training and incentives
Onboarding process
Testing and feedback
Testing employees when they don't know they're being tested enables real insight into their cyber awareness and how you can best train them.
Task list
Remind your employees that it's important to report phishing attempts
Provide clear, continuous channels for them to do so, such as an incident reporting system or dedicated voice call and text option
Check activity logs of employees
Put a fake phishing email. If employees click on it, they are taken to a website that teaches them how to spot future scams
Testing
Admins are encouraged to send phishing emails to test employees using real-world scenarios. Checking activity logs of employees could also give insights on who needs more supervision.
ENCOURAGE
C-level management inclusion
Cyber security trainings
Optional: assessment
Selecting cybersecurity approach
Continuous training and incentives
Onboarding process
Testing and feedback
How do your employees respond to security training? Be open to their ideas to improve future efforts.
Task list
Feedback
Publicly thank employees and let everyone in the organisation know about any updates or improvements that will come their way.
Schedule feedback sessions / feedback forms
Update cybersecurity approach accordingly
ENCOURAGE
Encouraging roadmap with enforcing elements
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Optional: assessment
Continuous training and incentives
Work with senior management to develop a strategy that blends your security awareness program with your existing corporate culture.
Onboarding process
Testing and feedback
Encourage
Leadership should act as champions for the programme and lead by example thereby influencing the staff’s behaviour towards the programme.
Encourage
You can’t force anyone to absorb knowledge they don’t want to, so try to approach “mandatory” with an inspirational perspective.
Enforce
It’s important to test your employees on what they have learned in cyber security awareness trainings and how well can they apply the knowledge.
Encourage
Security incidents should be treated as learning opportunities rather than cause for punishment. If users worry they’ll be blamed, reprimanded, they’ll be far less likely to report them.
Encourage
Training your team on security awareness is an essential part of a successful security program. And, new employee onboarding is an optimal time to introduce your staff to your security best practices.
Encourage
Over time, it’s important to test your employees on what they have learned and confirm they are still following cybersecurity best practices and update them if necessary.
Encourage
Interviews / workshops with employees
Encourage
Including employees to planning and development stages could increase their participation in trainings and overall, could increase the motivation to use the chosen tools.
01
02
03
04
05
06
07
08
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Interviews and workshops with employees
Optional: assessment
Continuous training and incentives
Onboarding process
Work with management and any motivated employee to develop a strategy that blends your security awareness program with your existing corporate culture.
Task list
How?
ENCOURAGE
Including employees to planning and development stages could increase their participation in trainings and overall, could increase the motivation to use the chosen tools.
Consider different cyber security approaches that would be the most applicable to your organisation
Invite employees for strategic workshop or plan individual / group interviews
Testing and feedback
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Interviews and workshops with employees
Optional: assessment
Continuous training and incentives
Onboarding process
Evaluate available options and select the best-fitting cybersecurity approach.
Task list
How?
ENCOURAGE
Key considerations for selection include your industry, workforce demographics, and what’s relevant to different locations, departments, and roles.
Evaluate available options
Based on strategic workshops with management and employees, introduce the chosen approach
Testing and feedback
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Interviews and workshops with employees
Optional: assessment
Continuous training and incentives
Onboarding process
It’s not only beneficial for senior management to give approval for a training program, but to be actively engaged and support policy or process changes.
Task list
Why?
ENCOURAGE
Leadership should act as champions for the programme and lead by example thereby influencing the staff’s behaviour towards the programme.
Prepare for management meeting to showcase business value
Find industry-specific examples
Show how training ties into your organization's mission and overall cybersecurity strategy
Explain the type of training you are planning to implement
Testing and feedback
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Interviews and workshops with employees
Optional: assessment
Continuous training and incentives
Onboarding process
You can’t force anyone to absorb knowledge they don’t want to, so try to approach “mandatory” with an inspirational perspective.
Task list
How?
Employees complete courses at a much higher rate if they're motivated and engaged.
Develop a course for employees or consider external training partner
Prepare for a meeting with the human resources (HR) department which is responsible for explaining and enforcing employee policies / chosen approaches
Testing and feedback
ENFORCE
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Interviews and workshops with employees
Optional: assessment
Continuous training and incentives
Onboarding process
Over time, it’s important to test your employees on what they have learned and confirm they are still following cybersecurity best practices.
Task list
Why?
ENCOURAGE
Decide if assessment should be used after the training, later to assess the knowledge gained over time
Choose the best solution for assessment for your organisation: be it a survey, phishing simulations or gamification
Testing and feedback
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Interviews and workshops with employees
Optional: assessment
Continuous training and incentives
Onboarding process
Security incidents should be treated as learning opportunities rather than cause for punishment.
Task list
How?
ENCOURAGE
Create incentives program how to encourage employees to collaborate and learn more effectively
Consider how often the trainings should be repeated
Testing and feedback
If users worry they’ll be blamed, reprimanded, or even fired for security-related mistakes, they’ll be far less likely to report them.
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Interviews and workshops with employees
Optional: assessment
Continuous training and incentives
Onboarding process
Cyber security training as part of onboarding process for new employees. Training your team on security awareness is an essential part of a successful security program.
Task list
Onboarding
ENCOURAGE
Add cybersecurity training to the onboarding process
Prepare for meeting with HR to introduce cybersecurity as part of onboarding process
Testing and feedback
New employee onboarding is an optimal time to introduce your staff to your security best practices.
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Interviews and workshops with employees
Optional: assessment
Continuous training and incentives
Onboarding process
Testing employees when they don't know they're being tested enables real insight into their cyber awareness and how you can best train them.
Testing
ENCOURAGE
Testing and feedback
Admins are encouraged to send phishing emails to test employees using real-world scenarios. Checking activity logs of employees could also give insights on who needs more supervision.
Task list
Remind your employees that it's important to report phishing attempts
Provide clear, continuous channels for them to do so, such as an incident reporting system or dedicated voice call and text option
Check activity logs of employees
Put a fake phishing email. If employees click on it, they are taken to a website that teaches them how to spot future scams like that
Selecting cybersecurity approach
C-level management inclusion
Cyber security trainings
Interviews and workshops with employees
Optional: assessment
Continuous training and incentives
Onboarding process
How do your employees respond to security training? Be open to their ideas to improve future efforts.
Feedback
ENCOURAGE
Testing and feedback
Publicly thank employees and let everyone in the organisation know about any updates or improvements that will come their way.
Task list
Schedule feedback sessions / feedback forms
Schedule group meeting with employees to discuss how to further improve the strategy
Update cybersecurity approach accordingly
If you have any questions, contact our tech-minded sales team!