As we start to settle into the New Year, I wanted to share a story about making a change for the better that I’m sure most people can relate to. It involves one man (me), one chair, and a lot of pain. Using this story we’re going to figure out what your current pain point is in your security awareness training program (or another part of your life) and more importantly how to leave it behind for the better.
So what’s your crux? A crux is a difficult problem or pain point that requires some kind of resolution. While like me, I’m sure you can come up with a long list of cruxes, there’s one I’d like to hone in on — a.k.a. the chair.
The trigger event
Before we delve into my crux, the first thing we have to cover is how it came to be. Storytime! We’re all very familiar with Covid-19 at this point. That’s right 2019 to 2022 is how long I’ve been dealing with my crux of a chair, and not to mention all of the other hurdles that have been put in front of us.
Like many organizations since the start of the pandemic, Curricula had to go remote. While the hybrid life isn’t half bad, at the start I was very unprepared — so unprepared I spent the first few months working hunched over my laptop at our kitchen island sitting with no support and only the faint memory of the cushy chairs sitting unused at our office in the Atlanta Tech Village. Slowly over time, that hunch led to severe neck pain, which escalated to some very unpleasant trips to the chiropractor. They validated something in my work-from-home lifestyle needed to change.
So my quick and easy ‘lifestyle change’ was the 10-year-old office chair that up until now had been sat on only on the rarest of occasions (and I now know for good reason).
It looked like a chair, so it must work as well as any other chair, right? Wrong. While yes it was better than a backless seat in the kitchen, once you delve beyond the surface, the chair has a few problems of its own. For example:
- Didn’t slide under my desk properly, so I had to lean my neck into the screen instead of sitting up straight
- The seat cushion was uncomfortable and I’d sink into it anytime I sat down
- Wouldn’t hold its position giving a new meaning to rocking and rolling
- Worst of all, it squeaked nonstop like a clingy mouse — I even tried oil to fix it
I began to resent this chair but kept on validating the reason to keep it was that it wasn’t broken and it was better than nothing.
About a year ago, I found myself complaining about my chair situation at our company town hall meeting. I was aware of the problem, hated it, yet somehow was still tolerating it. This went on for months and months bringing up the same points to my fellow Curriucloo’s for why the chair sucks expecting my rants to somehow solve the problem. Shockingly, that didn’t work — and as a bonus, my regular chiropractor appointments continued because my quick fix wasn’t actually beneficial.
Literally or metaphorically, pain can debilitate you in some way. This pain will continue to grow as long as you allow it to. So the question is how much pain do you have to endure to change?
At the end of 2021, I took three weeks to disconnect from work, clear my head, and prioritize tasks I’d been pushing off. I successfully built IKEA furniture, cleaned clutter build-up, did some reading, and even had time to play some video games. During this time, something finally clicked, and I told myself if I spend just a few moments solving one of my most frustrating problems, why not do it? So I went to find a new chair, not because I needed to but because I wanted to.
I didn’t want to impulsively find the first solution that was advertised to me. I took the time to research chairs, figure out what kind of chair I wanted, look at reviews, and laugh at reviews. On a personal note, if you want a good laugh, grab some wine and read Amazon reviews. Finally, I came across the chair of my dreams. It had everything I wanted and needed:
- Good back supports that didn’t break my neck by having a pillow on top
- Made with intent for people who sit in a chair all day long
- Coincidentally had Curricula’s purple brand color in the chair — talk about a sign!
- The height of the chair slides perfectly under my desk
- Looked cool, and feels like I’m flying a spaceship every time I sit on it
- Most importantly it was silent — like an electric car going under 18mph, not a peep
Once I put it together and sat down it all hit me, the miracle moment. I realized this is what I’d been missing and asked myself, “Why didn’t I do this earlier?”
How this applies to your security awareness training program
You might be thinking, “why am I reading about a chair on a security awareness organization’s blog?” Every day I see clients facing this exact crux when choosing a security awareness training program. I’ll break down the same journey into the three (3) major steps:
1. The trigger
When comparing it to my chair’s trigger event, Covid-19, the trigger for security awareness is usually an event out of the organization’s control that requires an immediate solution. The majority of customers that come into security awareness training are based on a trigger event, such as getting hacked or due to compliance requirements. This gets organizations to just do something. Comparatively, this is the same as transitioning to working from home on the kitchen island resulting in neck issues and an organization that makes annual training PowerPoints. It’s not going to be sustainable or successful but it’s just slightly better than nothing.
2. The temporary fix
It took some maturing to realize that ineffective annual training (a.k.a. the bench in keeping with the chair narrative) is doing more harm than good for your employees. So you’ll probably be on the hunt for another quick, cheap, and easy fix to be made — this time slightly upgraded. The old office chair is the same as a boring and outdated security awareness training program. Both are better than before but the effectiveness is being sacrificed to instead just ‘check the box.’
However, once you start using the program you notice the cracks start to form and a long list of uh-oh’s begin to appear:
- Employees start complaining and aren’t any more secure than before
- Still experience breaches or fail compliance requirements
- Help desk tickets keep rising
- No culture of security has developed
- Employees hate IT and feel like they’re on opposing teams
- The program is too hard to set up and time-consuming to manage
- Employees and admins don’t care and it feels more like a chore
From this list if any of these ring true to you, how long will you let the pain go on before you do something better?
3. Doing something better
As the person who works in IT or manages security protocols for your organization please make the conscious decision to lift your head up and take a breath on what your organization needs out of an effective security awareness program. IT personnel are seemingly always overwhelmed and overworked, so taking time to see the bigger picture of what needs to be done for your organization’s security program can be the difference between a successful and failing program.
The chair represents the element of your security awareness program that has always been your crux. Maybe that’s how your employees negatively interact with your security protocols, your current ineffective security awareness program, or security tools that take more time managing than the results are worth. I’m pleased to tell you that in my experience you can always do something better, it’s just a matter of when?
When the lightbulb moment hits you as it hit me you’ll realize that all your pain points have a solution and gaining different perspectives should be a requirement for running a worthwhile security awareness program. In doing so, all of the following are possible:
- Security awareness training doesn’t have to be boring for your employees
- A security culture can change the way your entire organization views cyber security
- You’ll no longer only have to play defense. A proactive plan will help your security awareness program become more than just going through the motions
- As the person in charge of your security awareness program, you’ll have more time to think about big picture instead of tedious tasks
Don’t wait in pain, make a change
When it comes to security awareness, you should never reach a breakpoint of pain because that’s when you’re most vulnerable to cyber-attacks.
My pain of an uncomfortable chair, neck problems, and becoming a chiropractor regular continued to rise because I let it become something to push off. This is the same as your organization experiencing lawsuits or data breaches from the pain of an inadequate security awareness program. Don’t let your security awareness crux impact you and your employees to the point of no return.
It took me more time than I’d like to admit to acting on the problem I faced but that’s just human nature. By sharing this, I’d love to not hear ‘I should’ve done that,’ two years down the line from an organization needing an effective security awareness program. So ask yourself: what pain do you currently have in your security awareness program that you don’t want to keep until 2024?