Educating employees on security is more crucial than ever. Data from London-based advisory and solutions company Willis Towers Watson points to internal employees — whether through negligence or deliberate offense — as the cause of 66 percent of all cyber breaches. Figures like this are prompting security managers to put more resources into security awareness training.

The Path to Effective Security Awareness Training

When the Financial Services Information Sharing and Analysis Center (FS-ISAC) reached out to security managers about cyberdefense for its 2018 CISO Cybersecurity Trends report, 35 percent said they consider employee training a critically high priority for improving security posture. While awareness training is indeed not a new concept, gone are the days when merely giving employees a series of videos to watch was considered sufficient — especially in the absence of any follow-up measures.

Security awareness training programs need to be interesting, engaging and memorable to be effective, said Lisa Plaggemier, director of security culture and client advocacy at CDK Global. Plaggemier believes the entire concept of awareness programs needs a revamp. (She even gave a talk on the subject, Let’s Blow Up Security Awareness and Start Over, at the 2018 RSA Conference.)

“As far as what is not working — no offense to my technical friends — but I think we are hiring the wrong skill set for this position,” said Plaggemier. “We’re hiring people without the right skill set to be good communicators. I think we need more people who have had experience with selling something. We are trying to influence behavior, and that requires being able to get buy-in from employees.”

What are the essential ingredients for a successful security awareness program? The experts we interviewed had four key recommendations.

1. Use Real-Life Hacking and Phishing Examples

“Nobody likes to sit in front of a computer where the speaker does all of the talking. They will be bored easily,” said Aleksandr Yampolskiy, CEO and co-founder of Security Scorecard. “The best presentations show concrete examples. When we conduct training here, I will pull up a website and then show up some tools hackers can use to hack a computer. I always show examples of how they can be phished, and I play a video recording where I show how people try and phish me.”

Listen to the podcast: Social Engineering 101 — How to Hack a Human

2. Create Engaging Security Training Programs

“Before you can get into tactics, you need good creative,” said Plaggemier. “You need a good character. Something that’s funny or interesting.” At CDK Global, Plaggemier relies on an ad agency with great writers to craft compelling awareness programs.

Yampolskiy has experimented with gamification around awareness lessons at previous organizations where he has run awareness programs. “We bought two iPads and encouraged people to try and hack the company,” he said. “People got creative and would call and pretend to be IT, among other things. This kind of competition resulted in amazing findings that professional demonstrators never discovered.” Yampolskiy said the winner of the competition was titled the company’s security champion and received a plaque from the CEO, which got people excited about the training.

3. Adjust Your Approach: No One Cares

“In awareness, we suffer from the curse of passion,” said Plaggemier. “You presume your audience has certain level of knowledge. I’ve met so many people in security, they want to help everyone. They are really passionate about it, and they presume that the audience cares too. But that’s just not the case. You need to start every awareness campaign with this premise that no one cares.”

This brings us back to that hook that draws the audience in we mentioned earlier: It needs to be funny, interesting and engaging to get them to care in the first place, said Plaggemier. “You can use humor, you can — but you have to start with the premise that no one cares in order to see some success,” she said.

4. Enlist Top-Down Support

Building any culture starts by example, said Yampolskiy. “You need buy-in from the CFO, from general council. If they lead by example, people will copy that behavior and know that gets rewarded. People look at who is being commended,” he said. The push for significant change should come from the top — otherwise, there may be less potential to create a culture of cyber awareness.

“CISOs [chief information security officers] need to get everyone on board with doing something different,” said Plaggemier. “If you’re going to get everyone’s attention, you need to get everyone on board at the outset.”

Read more about Creating a Culture of Security

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…