May 15, 2018 By Joan Goodchild 3 min read

Educating employees on security is more crucial than ever. Data from London-based advisory and solutions company Willis Towers Watson points to internal employees — whether through negligence or deliberate offense — as the cause of 66 percent of all cyber breaches. Figures like this are prompting security managers to put more resources into security awareness training.

The Path to Effective Security Awareness Training

When the Financial Services Information Sharing and Analysis Center (FS-ISAC) reached out to security managers about cyberdefense for its 2018 CISO Cybersecurity Trends report, 35 percent said they consider employee training a critically high priority for improving security posture. While awareness training is indeed not a new concept, gone are the days when merely giving employees a series of videos to watch was considered sufficient — especially in the absence of any follow-up measures.

Security awareness training programs need to be interesting, engaging and memorable to be effective, said Lisa Plaggemier, director of security culture and client advocacy at CDK Global. Plaggemier believes the entire concept of awareness programs needs a revamp. (She even gave a talk on the subject, Let’s Blow Up Security Awareness and Start Over, at the 2018 RSA Conference.)

“As far as what is not working — no offense to my technical friends — but I think we are hiring the wrong skill set for this position,” said Plaggemier. “We’re hiring people without the right skill set to be good communicators. I think we need more people who have had experience with selling something. We are trying to influence behavior, and that requires being able to get buy-in from employees.”

What are the essential ingredients for a successful security awareness program? The experts we interviewed had four key recommendations.

1. Use Real-Life Hacking and Phishing Examples

“Nobody likes to sit in front of a computer where the speaker does all of the talking. They will be bored easily,” said Aleksandr Yampolskiy, CEO and co-founder of Security Scorecard. “The best presentations show concrete examples. When we conduct training here, I will pull up a website and then show up some tools hackers can use to hack a computer. I always show examples of how they can be phished, and I play a video recording where I show how people try and phish me.”

Listen to the podcast: Social Engineering 101 — How to Hack a Human

2. Create Engaging Security Training Programs

“Before you can get into tactics, you need good creative,” said Plaggemier. “You need a good character. Something that’s funny or interesting.” At CDK Global, Plaggemier relies on an ad agency with great writers to craft compelling awareness programs.

Yampolskiy has experimented with gamification around awareness lessons at previous organizations where he has run awareness programs. “We bought two iPads and encouraged people to try and hack the company,” he said. “People got creative and would call and pretend to be IT, among other things. This kind of competition resulted in amazing findings that professional demonstrators never discovered.” Yampolskiy said the winner of the competition was titled the company’s security champion and received a plaque from the CEO, which got people excited about the training.

3. Adjust Your Approach: No One Cares

“In awareness, we suffer from the curse of passion,” said Plaggemier. “You presume your audience has certain level of knowledge. I’ve met so many people in security, they want to help everyone. They are really passionate about it, and they presume that the audience cares too. But that’s just not the case. You need to start every awareness campaign with this premise that no one cares.”

This brings us back to that hook that draws the audience in we mentioned earlier: It needs to be funny, interesting and engaging to get them to care in the first place, said Plaggemier. “You can use humor, you can — but you have to start with the premise that no one cares in order to see some success,” she said.

4. Enlist Top-Down Support

Building any culture starts by example, said Yampolskiy. “You need buy-in from the CFO, from general council. If they lead by example, people will copy that behavior and know that gets rewarded. People look at who is being commended,” he said. The push for significant change should come from the top — otherwise, there may be less potential to create a culture of cyber awareness.

“CISOs [chief information security officers] need to get everyone on board with doing something different,” said Plaggemier. “If you’re going to get everyone’s attention, you need to get everyone on board at the outset.”

Read more about Creating a Culture of Security

More from CISO

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today