By Jemma Davis, Founder of Culture Gem, for National Inclusion Week or Cyber Security Awareness Month.

As we are in cyber awareness month, many cyber teams lack the soft skills to have more of an impact than saying “It’s cyber awareness month” in an empty room.

Often cyber teams are built to be technically focused, and it’s unsurprising when you look at the wording in cyber, and even cyber awareness job descriptions, which are almost always created using masculine phrases, and very rarely include a soft skills requirement, other than “good communication”. The essential skill requirements usually demand 5 years of experience with the “tech stack”, or with x framework/regulation. The recent Cyber security skills in the UK labour market 2023 report says 84% working in cyber came through a non-cyber related role, which shows that transferable skills are welcomed into the industry.

My background was in marketing, where cyber was definitely someone else’s job. I found myself embedded into the world of cyber security purely by accident when marketing a cyber conference. This threw me head first into a room with c.200 Chief Information Security Officers (CISOs). Call it serendipity, but this happened as Wannacry was hitting the news, and I was forced into caring about this cyber world that had never been relevant to me. This was how I developed my passion for cyber security, and specifically the protection of real people.

After witnessing the workings of a cyber war room, and the aftermath of a huge-scale cyber incident that resulted in the cancellation of thousands of appointments and operations and patients unable to access local accident and emergency departments, I realised cyber security wasn’t someone else’s job. If I could understand the world of cyber, I could transfer my marketing powers into the cyber industry to make a real difference, using what is known to many as cyber awareness, and influence others to start thinking about cyber as their responsibility too.

Cyber awareness has traditionally felt more like a punishment than something we should give all our care and attention to. It’s thought to consist of mandatory compliance training, a few all-staff emails, and perhaps a cyber awareness month campaign, but often lacks the support of a business, so has limited impact. Gaining the support of other departments, such as internal communications teams, relies on strong working relationships, and this is where soft skills in cyber security are critical.

Technically focused security teams very rarely take the time to build strong working relationships with non-technical teams and only call upon these teams in times of crisis. When we set the requirement of “good communication” when we build the cyber team, we’re going to really need the support of others, to engage people with something that isn’t their job.

While people don’t understand that we are personally at risk, cyber will always be seen as someone else’s problem and something that adds another step to the job we’re trying to do. The trick to engagement in your cyber awareness month campaigns is to make it sexy, and something your staff are desperate to show up to. It’s really not that hard to do. We all know of cyber horror stories, where a series of events led to a loss for someone, whether that be financial or otherwise. Work with someone with better than “good communication” skills to tell the story; set the scene, describe the scam, and the impact that had on a real-life person, such as not being able to cover their rent. If they aren’t asking “And then what happened?”, or “You’re joking?”, staff won’t engage either. Lock-picking demonstrations are a really engaging exercise too, where staff can get involved, and feel like we’re the next super spy. Why not grab your pentester, and ask them to demo a real hack, so staff can see how easily this can happen to our own personal accounts, and see how quickly we switch on multi-factor authentication (MFA) wherever possible?

Cyber awareness is about way more than training, or a few words in an email when the company has a near miss. To drive real awareness, it’s about engaging and motivating staff into something that can be seen as dull, and someone else’s problem. It’s about everyone caring about our own personal security and developing stronger habits in our own lives. It’s about making it okay to talk about fears, concerns, near misses, or scams we’ve fallen for, or heard about, because when staff care about security, we start to bring those habits, thoughts, and feelings into work, and protect the company we work for, without even realising it.


Read more articles on cyber security and many other tech topics here.