If you ask a group of technology and business professionals to rank the most important parts of their security program, awareness and training will undoubtedly land in the top three. After all, many breaches start with users and, on the flip side, can be prevented by users. It’s all about setting expectations. Unfortunately, many such attempts fall flat, and security training is just another checkbox in a weak, compliance-based security program. People are going through the motions, but it’s mostly for show.
The biggest problem with security awareness and training programs is that they’re usually completely boring. In this case, boring means ineffective. The last thing an employee wants to hear is someone on the IT or security team — or just as bad, a random stranger in a video training program — wax poetic about how important security is to the organization.
Use strong passwords. Change them every 30 days. Do this, don’t do that … blah, blah, blah. They’ve heard it all. And frankly, it stinks.
Why Security Awareness Training Stinks
I’ll bet if you could have candid discussions with your users about your security awareness and training program, they would probably all say things like:
- It’s boring.
- It covers stuff that I already know.
- They talk to me as if I’m stupid.
- It’s a waste of my time.
Why do employees feel this way? By and large, there are a lot of IT and security people in charge. They often blindly create security training content under the assumption that people will listen and care just because it’s coming from them. That couldn’t be further from the truth. Ditto for the human resources staff. There are people working in HR departments who couldn’t put together a 10-minute security training session if their life depended on it. This tactless approach to security awareness and training is taking place in many organizations, both large and small, across all industries. And we wonder why we keep getting hit.
The Funny Business of Security Education
To pique people’s interest in security, IT professionals have to make security training entertaining. This is a simple but important reality you cannot afford to overlook. Make your security awareness and training funny — that’s all there is to it. This even applies to the same old boring content that everybody knows about and is tired of hearing. If you make it funny, they will tune in and remember it. Your users will associate this or that joke with this or that security behavior.
Think about some of the skits and one-liners from iconic shows such as “Saturday Night Live” and “Seinfeld.” They’re ingrained into our minds. If you take a similar approach, your users will look forward to their next training session and buy into security like you’ve never seen before. They’ll be asking when new content is coming out because they want to be entertained.
I know not everyone is a comedian, especially those of us in IT and security, but you don’t have to be. There’s a solution: outsourcing. Hire someone who can write good material for you. I’d be willing to bet that there are hundreds, if not thousands, of people online that can take boring old IT and security content, put their own comedic twist on it and send it back to you in a format that will help make you successful. You could even bring someone in to do that type of training for you. You could also purchase content that has already been developed.
Be As Creative As Your Enemies
Your security program revolves around your users, and the level of security cognition among them comes down to the quality of your material. You may be spending tens or even hundreds of thousands of dollars on technical security controls and services each year. Why wouldn’t you spend the necessary amount to have good awareness and training content?
You’re in control here as an IT or security professional, and you have a grand responsibility on your shoulders. Don’t take the easy route or assume that you can just throw some material out there every six to 12 months and it will stick. Be creative. The adversaries working against us around the clock are super imaginative. If you’re going to play at their level, you have to be the same way.
Listen to the podcast series: Take Back Control of Your Cybersecurity now
Independent Information Security Consultant