Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementSecurity Education & TrainingCybersecurity News

Keeping Employees Cyber-Aware Keeps the Enterprise Cyber-Secure

Improving employees’ cybersecurity awareness often hinges on communicating those initiatives into risks they understand.

Keeping Employees Cyber-Aware Keeps the Enterprise Cyber-Secure
Charles Gaughf, CIO for (ISC)2, uses his background in communications to connect cybersecurity risk with employees

Charles Gaughf, CIO for (ISC)2, uses his background in communications to connect cybersecurity risk with employees’ personal concerns. He uses demonstrations of how easily hackers can find personal data online to gain employees’ buy-in and show them clues of how to spot a potential vulnerability or phishing attempt. Photo courtesy of Charles Gaughf

Keeping Employees Cyber-Aware Keeps the Enterprise Cyber-Secure
Charles Gaughf, CIO for (ISC)2, uses his background in communications to connect cybersecurity risk with employees
March 1, 2017

There’s a C- on your report card, but you’re not alone: The 2017 Global Cybersecurity Assurance Report Card found that the world’s information security practitioners gave global cybersecurity readiness an overall score of 70 percent – a six-point drop over 2016. What’s causing this lack of confidence? IT security practitioners cited the overwhelming cyber threat environment, a lack of visibility into the network (impacted by BYOD or shadow IT), and low security awareness among employees as the top three challenges facing them today.

While the average CISO or CSO may not be able to drastically reduce the cyber threat environment facing the enterprise, he or she can make a big difference when it comes to educating employees and getting buy-in from the ground up.

According to Charles Gaughf, CIO for cybersecurity education non-profit (ISC)2, the key to improving cybersecurity awareness is to be persistent, pointed and connected to the audience. He suggests implementing phishing tests, demonstrating how easy it is for a bad actor to gain access to personal or company files over an unsecure WiFi connection like in a café, or participating in an information-gathering exercise against an employee to demonstrate how much personal information is publicly available and how it can be used to craft a phishing campaign.

“You have to apply cybersecurity education to how it affects them personally,” Gaughf says. “And this ties back to home and personal security as well as corporate security.”

It’s important, however, to ensure that any educational campaigns are about awareness and improvement, not about shame, he says. Phishing tests or penetration testing results shouldn’t be used to condemn one employee or another, but to improve communication about cybersecurity standards and protocols.

There’s also a generational issue around getting buy-in that requires specific attention. Gaughf says that for Millennials (employees in the 18-34 age range) their whole lives have been online, and much of their information is, too. Gaughf works to show them the value of privacy for certain information, and how easy it is to find information about them online to help curb the tendency to overshare. For seniors, another oft-targeted group, Gaughf recommends tailoring education around their concerns and going to them for input about where they need additional information, such as around threats and scams on online dating services.

The need for a proactive cybersecurity awareness campaign is growing, especially as workforces become more mobile and more third-parties hold influence within the enterprise. Passive awareness programs like posters or email campaigns alone are not always the most effective tactic anymore.

According to Stephen Fridakis, VP of Media and Tech Ops for cable TV company HBO, cybersecurity education should make employees and third-party partners understand their responsibilities. At HBO, training should cover the following three features:

  1. Protocols and Permissions: “People want to be compliant,” Fridakis says. “This helps to clear up those questions.”

  2. Risk and Consequences: “If any information is compromised, it hurts all of us. Every new show takes a little blood, sweat and tears from all of us,” he adds. Connecting cyber risk and certain behaviors to the threats and liability for new shows or creative products hits home for employees.

  3. Personal Security: Fridakis hopes that employees take good cybersecurity hygiene home with them, and that it becomes an ingrained thought process.

To accomplish this, HBO is working with LearnBIG to develop and implement interactive cybersecurity education modules and videos for both employees and third-parties (including directors, producers, actors and other contractors).

“True to HBO style, we have multiple ‘episodes’ of learning modules, and the campaign will be released over a year, and will be accompanied by posters in English and Spanish and an eBook,” Fridakis says. “It’s not a certification-driven campaign; it’s not pass-fail. We want awareness and repeat views. We added quizzes and messaging to reinforce each topic.”

Some modules, such as password management or phishing threats, could be used straight out of the box, but others were customized for HBO’s specific risks and needs, such as a module on working outside the office (on location, working from home or from a satellite office), adding emphasis on mobile device use to the “protecting your device” module, and extending the privacy module to cover international regulations and risks.

According to Michelle Dennedy, VP and Chief Privacy Officer for Cisco, getting buy-in and understanding can easily start with encouraging employees and leadership to think of data as currency.

According to IBM Security and the Ponemon Institute’s 2016 Cost of Data Breach Study, the average cost per record breached is $158. Consider then, if the location and security of hundreds or thousands of $158 records are unknown, what the liability is to the enterprise, Dennedy says. Records need to be accounted for just as much as money, especially when a data breach or security flaw can impact the price sensitivity in an acquisition market or the value of your brand, not the mention the costs of recovery, she adds.

To really hit home with executives in other departments, Dennedy suggests that security leaders take a consultative approach: what are they looking to accomplish? By breaking down the objectives and obstacles, CISOs and CSOs can determine where they can best help with technology and with culture-changes (such as building awareness about password sharing risks or clean desk policies).

For less cyber-savvy organizations, Gaughf recommends that security leaders remain persistent and open to partnerships with other departments. Use breadcrumbs – bite-sized pieces of information, five-minute security briefings in monthly meetings, posters or short email alerts – to slowly but surely build up a reputation of education. Partner with branding and communications teams to help sell cybersecurity to employees (“It can’t be a boring pitch. You don’t want to look like the Internet police,” Gaughf says). All in all, find buy-in where you can, he adds, and leverage those partners to improve cybersecurity awareness and hygiene wherever possible.

So how do you measure the success of your awareness program? While security leaders can gain hard metrics into the number of people who have watched any given training module or tracking a downtick in phishing test failures, the best metrics can come in personal investment.

“Investment in sophisticated technology and monitoring can be ruined by people’s actions.”

“I know I have buy-in by seeing how often people come to me about suspicious emails, security questions or to request a contractor security assessment,” says Gaughf.

At HBO, Fridakis evaluates feedback and comments, but he too looks for changes in behavior: a reduction in successful social engineering attempts or an uptick in queries about suspicious emails.

“Investment in sophisticated technology and monitoring can be ruined by people’s actions,” says Fridakis. Therein is the long-term benefit of cybersecurity awareness training: It demystifies security and helps employees know their obligations and expectations so that they help maintain a strong perimeter around enterprise data instead of weakening it.

KEYWORDS: CISO cyber security awareness cybersecurity training security communications security education

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Half closed laptop

Sudo Vulnerability Discovered, May Exposes Linux Systems

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cloud-data-backup-freepik

    49% of employees still use their personal computers for work as hybrid landscape intensifies enterprise cyber threat

    See More
  • SEC0819-Cyber-Feat-slide1_900px

    The enterprise imperative of cyber resiliency post-COVID-19

    See More
  • insider threat

    Moving to measure a cyber-aware culture

    See More

Related Products

See More Products
  • 1119490936.jpg

    Solving Cyber Risk: Protecting Your Company and Society

  • 9780367339456.jpg.jpg.jpg

    Cyber Strategy: Risk-Driven Security and Resiliency

  • 9780815378068.jpg.jpg

    Biometrics, Crime and Security

See More Products
×
Charles Gaughf, CIO for (ISC)2, uses his background in communications to connect cybersecurity risk with employees’ personal concerns. He uses demonstrations of how easily hackers can find personal data online to gain employees’ buy-in and show them clues of how to spot a potential vulnerability or phishing attempt. Photo courtesy of Charles Gaughf

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!