Traditional approaches to security communication are limited to perfunctory one-off training sessions that fail to take customers, regulators, and other external stakeholders into account and rarely effect long-term behavioral change. This report lays out a four-step plan that CISOs should follow to manage the human risk. It provides design principles for creating transformational security awareness initiatives which will win the hearts and minds of senior executives, employees, the technology organization, and customers. This is an update to a previously published report; Forrester has reviewed and updated it to ensure relevance and accuracy.