Looking for some advice here. As a little bit of relevant background, the organisation I work for has only just formed a cyber security team. So they are very early on in their maturity in this space.
I have recently started some planned work to engage users in my organisation with security awareness training. This plan was approved by our CEO plus an external risk board we report to. As part of this, and working with a vendor, we conducted a baseline simulated phishing test. We followed all vendor advice and let the IT support staff it was happening. Well everything blew up at this point.
There were IT support staff from all different areas of the business complaining about user impacts. There were some IT staff undermining the process by contacting all their users and warning them. There were other middle management staff disagreeing with the entire approach in chats which include the entire IT team, stoking the fire even more. In the end the baseline data is totally inaccurate as around a third of our staff got personal warnings about the simulated test and were told to delete it.
What’s the best approach to try and change the culture of the greater IT team to try and accept what cyber is trying to do and get them onboard and working together, instead of seeing it as a huge pain and activity working against it.