May 14, 2019 By Kevin Beaver 3 min read

When striving for success, you must have a definite purpose — something that stands above everything else in terms of getting results. As it relates to information security and, specifically, user awareness and training, what’s the main goal?

Is it to train everyone to the highest possible level so they can be a part of the security solution? Perhaps it’s to set your business up for success by controlling users’ actions through policies and technologies? Maybe it’s to check the security awareness training box that auditors look for? Looking at the myriad approaches and possible outcomes of a security awareness and training program, no matter how it’s done, it all comes down to one thing: behavioral changes.

There are many businesses out there going through the motions of cybersecurity training, but they have little to show for it. Sure, the box is checked, but people are still clicking on malicious links, opening email attachments and falling for the same old tricks that social engineers have thrust upon us for decades. I see it in practically every security assessment project I work on. If a phishing message is convincing enough, upwards of half (sometimes more) of users I target open attachments, click links and provide their network login credentials when prompted. It’s a simple yet disturbing exploit and it’s happening all around the globe — your business included — every single day.

Find the Gaps in Your Security Awareness Program

With behavioral changes as a core component, is your security awareness program focused on the right things — the things that will help achieve your overarching purpose and goals? Or are you doing things that are moving you further away from where you need to be?

Are there blind spots in terms of technical controls? Perhaps you need to rethink your policies? There could be reputation or credibility issues that are keeping you from selling security to those who need it most. In-depth, unbiased and ongoing security assessments can uncover these things and lead to improvements. The problem is that security assessments are often not in-depth, unbiased or ongoing, so the security challenges perpetuate.

What gaps and opportunities exist in your security awareness and training initiatives? There are plenty if you take an honest look. Would forcing more mind-numbing classroom sessions or videos get more people on board with security? Or would a more creative approach such as having an outside professional trainer be better? Ask your users what they’d like to learn and how they’d like to learn it. There are a lot of smart people outside of IT and security circles who can provide great feedback, so it’s best to have them on your side. Look at this as starting with a clean slate and improving security at a grassroots level rather than from the top down.

There’s often a gap in expectations. If you were to ask random employees in your business if they could explain what’s expected of them in terms of computer and internet usage, could they tell you? Give it a try and see what you find out. While you’re at it, ask them how IT and security can make their jobs easier. You’ll hear some great ideas. Note those ideas and implement them. When people see that their ideas are being used, they’ll have buy-in and will work to make even more improvements across the organization.

Next, how are bad choices on the part of employees handled? Is it a simple email reminder? Perhaps a useless retake of a cybersecurity training module? Does a manager sit down and talk about what happened and how it needs to be handled differently? Or is it IT or security’s job to reprimand employees who make mistakes? That’s often what I see and it’s entirely the wrong approach. Security awareness and training is an HR/management function that IT and security professionals just happen to help facilitate.

Instead of it being a you-versus-them scenario, ensure that management and your security committee are involved in the process. As strange as it may seem, adult employees are not all that different from young children when it comes to being disciplined. Rather than being scolded and embarrassed, if they’re to learn from their mistakes, they need to hear why they shouldn’t have done what they did (its impact on the business) and how they can better handle things next time.

Make Necessary Changes Sooner Rather Than Later

Whether it’s in business, your personal life or information security, you get what you focus on. Employees need to be set up for success. In an ideal world, this would mean they aren’t even provided the opportunity to make security decisions. Technical controls can help with this, but only to an extent. Eventually, employees will be presented with important security choices. Are your current awareness and training efforts going to lead them down the right path? You’ll never know until you scrutinize what you do.

Recognize that a core outcome of security awareness and training efforts needs to be changing behaviors. Get the right people involved to set expectations and then do what it takes to hit the target today — and keep hitting it over time. It’s the same old approach to minimizing employee-related security risks, but it’s the one that works.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today