May 15, 2018 By Joan Goodchild 3 min read

Educating employees on security is more crucial than ever. Data from London-based advisory and solutions company Willis Towers Watson points to internal employees — whether through negligence or deliberate offense — as the cause of 66 percent of all cyber breaches. Figures like this are prompting security managers to put more resources into security awareness training.

The Path to Effective Security Awareness Training

When the Financial Services Information Sharing and Analysis Center (FS-ISAC) reached out to security managers about cyberdefense for its 2018 CISO Cybersecurity Trends report, 35 percent said they consider employee training a critically high priority for improving security posture. While awareness training is indeed not a new concept, gone are the days when merely giving employees a series of videos to watch was considered sufficient — especially in the absence of any follow-up measures.

Security awareness training programs need to be interesting, engaging and memorable to be effective, said Lisa Plaggemier, director of security culture and client advocacy at CDK Global. Plaggemier believes the entire concept of awareness programs needs a revamp. (She even gave a talk on the subject, Let’s Blow Up Security Awareness and Start Over, at the 2018 RSA Conference.)

“As far as what is not working — no offense to my technical friends — but I think we are hiring the wrong skill set for this position,” said Plaggemier. “We’re hiring people without the right skill set to be good communicators. I think we need more people who have had experience with selling something. We are trying to influence behavior, and that requires being able to get buy-in from employees.”

What are the essential ingredients for a successful security awareness program? The experts we interviewed had four key recommendations.

1. Use Real-Life Hacking and Phishing Examples

“Nobody likes to sit in front of a computer where the speaker does all of the talking. They will be bored easily,” said Aleksandr Yampolskiy, CEO and co-founder of Security Scorecard. “The best presentations show concrete examples. When we conduct training here, I will pull up a website and then show up some tools hackers can use to hack a computer. I always show examples of how they can be phished, and I play a video recording where I show how people try and phish me.”

Listen to the podcast: Social Engineering 101 — How to Hack a Human

2. Create Engaging Security Training Programs

“Before you can get into tactics, you need good creative,” said Plaggemier. “You need a good character. Something that’s funny or interesting.” At CDK Global, Plaggemier relies on an ad agency with great writers to craft compelling awareness programs.

Yampolskiy has experimented with gamification around awareness lessons at previous organizations where he has run awareness programs. “We bought two iPads and encouraged people to try and hack the company,” he said. “People got creative and would call and pretend to be IT, among other things. This kind of competition resulted in amazing findings that professional demonstrators never discovered.” Yampolskiy said the winner of the competition was titled the company’s security champion and received a plaque from the CEO, which got people excited about the training.

3. Adjust Your Approach: No One Cares

“In awareness, we suffer from the curse of passion,” said Plaggemier. “You presume your audience has certain level of knowledge. I’ve met so many people in security, they want to help everyone. They are really passionate about it, and they presume that the audience cares too. But that’s just not the case. You need to start every awareness campaign with this premise that no one cares.”

This brings us back to that hook that draws the audience in we mentioned earlier: It needs to be funny, interesting and engaging to get them to care in the first place, said Plaggemier. “You can use humor, you can — but you have to start with the premise that no one cares in order to see some success,” she said.

4. Enlist Top-Down Support

Building any culture starts by example, said Yampolskiy. “You need buy-in from the CFO, from general council. If they lead by example, people will copy that behavior and know that gets rewarded. People look at who is being commended,” he said. The push for significant change should come from the top — otherwise, there may be less potential to create a culture of cyber awareness.

“CISOs [chief information security officers] need to get everyone on board with doing something different,” said Plaggemier. “If you’re going to get everyone’s attention, you need to get everyone on board at the outset.”

Read more about Creating a Culture of Security

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today