“When it came to information security awareness, we wanted to get much more of a visceral response from our people than we were getting up to then. Before, we were simply selling. You must do this. You must do that. Without any real interaction with the people,” said Thom Langford (@thomlangford), CISO of the Publicis Groupe, about his agency’s new “marketing focused” direction for internal security awareness.
Using traditional marketing techniques, his team put together stories that showed the value of improved security and the experience that comes out of that.
“It’s not selling as such. You’re trying to get people to aspire to a lifestyle or evoke memories from within themselves. Allow them to relate the concepts you are talking about,” said Langford in our conversation at the 2015 RSA Conference in San Francisco.
The tool they used to deliver that message and to tell those stories was through a series of humorous films with relatable characters.
“In that way, they are seeing activities that they do, carried out in front of them in a way they wouldn’t experience or acknowledge themselves,” said Langford. “So you’re able to put across poor behaviors or unwise behaviors to them in a way you couldn’t do before without patronizing them.”
Publicis is currently only three months into a two year information security program. It’s a long campaign, but it could and probably will be longer. The most successful campaigns, such as the campaigns for anti-smoking and seatbelt laws, take time to evoke real change.
“The most successful marketing campaigns are the long term ones. They’re not the campaigns punctuated with full stops. They’re punctuated with commas,” said Langford.
While only three months in, Langford has already seen impressive success. As compared to the same three month period last year, Langford claims that incidents at his firm have gone down by two thirds, lost laptops are down by a third, and requests for formal help—which includes client projects and internal projects—has gone up by 25%.