I’ve been thinking a lot lately about one of the most famous marketing campaigns of all time, the Pepsi Challenge. But this isn’t an article about soft drinks, or marketing agencies. This article is about cybersecurity awareness and how we need something better.
If you’ve never taken the Pepsi Challenge, let me describe it for you. These challenges were typically done at the mall or in a grocery store. You would walk up to a table where a nice salesperson had two paper cups and two unlabeled bottles of soda. They’d fill each cup with just a splash of soda, and you’d drink two samples. And at the end of the challenge almost everyone picked Pepsi as their favorite.
This was shocking to most people, because everyone at the time drank Coke.
In the 1960s, Pepsi decided that they wanted to be the #1 soda brand in the world. Their main competition was Coke since 1881. So they hired BBDO.
BBDO is one of the most iconic advertising agencies in the world. The TV show Mad Men reportedly was inspired by BBDO and frequently mentioned the ad agency in the show as one of their main rivals. And in 1975 Pepsi released their iconic “Pepsi Challenge” campaign.
They followed the Pepsi Challenge with celebrity endorsements, Michael Jackson was their chief spokesperson. They positioned themselves as the choice for young people, making coke look like it was old and stodgy. And it worked…Pepsi actually started gaining market share against their oldest rival. Because of the pressure, Coke made some pretty big mistakes…most notably changing their recipe, which people hated with a passion. Spoiler alert: Coke wins the soda wars and nobody thinks Pepsi will be the choice of a new generation.
Why didn’t Pepsi win? Most people focus on the power of advertising, and the power of the Coke “brand”. The theory goes that Coke was able to regain their market share because their marketing focused on the “Brand”. Or maybe Coke was just forced to spend more money on advertising.
I don’t think this is a story about one ad agency being better than another or marketing budgets. After all, Pepsi was winning all the taste tests. And this still isn’t an article about marketing.
Malcolm Gladwell, author, writer for the New Yorker, and one of my favorite podcaster has a different explanation. In his book from 2005, Blink, he argues that the real reason was because of habits. Gladwell argues that the real reason is that the Pepsi Challenge test had a massive flaw. Remember, people only got to taste a sip of Pepsi. They didn’t drink a whole bottle. The sip test, like some wine taste tests, usually go to the drink that tastes sweeter. And Pepsi is sweeter.
But people who buy beverages know that they have to drink a whole bottle, and when you have to drink a 12 or 20 ounce bottle, you don’t want that much sweetener. No matter how many Pepsi commercials you watch, it’s not going to change your habits.
Every year, we make our employees watch security awareness training videos. We don’t do this because we want to, we have to. Nearly every cybersecurity compliance regulation tells you you have to have some sort of security training program. And the easiest way to train people is by getting them to watch a 5 or 10 minute video on security. You can tell me you enjoyed a video because it was funny or had someone famous in it, but that’s where it ends. We check the box, and then move on. This is, essentially the sip test, applied to security.
Security training videos are just like the Pepsi Challenge. We barely scratch the surface of what someone needs to know about cybersecurity and we don’t look at who the person is, what their role is, or what their habits are. Our employees work in real jobs where life is messy and the easy advice we get in a video doesn’t apply.
When we train people on cybersecurity, we typically sit them down with a new technology and we show them how to secure that piece of technology. Here is how to set a pin on your mobile phone, here is how to lock down your profile on social media, here is how to set up a Virtual Private Network on a tablet.
I’ve written about how you can customize training to the person and their role, but the problem with this approach is that when the next new technology like a smartwatch or an IoT device comes along, they have to come back to a cybersecurity professional to teach them how to secure that new device. Typically, we will then make them watch a new series of videos, which are costly to produce and will be out of date after the next software update.
What we need is a pedagogy for teaching cybersecurity so that people are prepared to apply a framework to any technology that comes along. Or put in a more biblical way, show a man a phish and you’ll secure him for the day. Teach a man to phish and you’ll secure him for a lifetime.
No security vendor can prove that security training videos make you more secure just like Pepsi couldn’t change the buying habits of customers with their commercials. To build lasting change, you need to focus on changing habits or building new ones. You should be able to measure that behavior change by looking at how they are able to handle new technology or new challenges. I think there are nine cybersecurity habits, and you can learn more in my book, Well Aware.