When striving for success, you must have a definite purpose — something that stands above everything else in terms of getting results. As it relates to information security and, specifically, user awareness and training, what’s the main goal?

Is it to train everyone to the highest possible level so they can be a part of the security solution? Perhaps it’s to set your business up for success by controlling users’ actions through policies and technologies? Maybe it’s to check the security awareness training box that auditors look for? Looking at the myriad approaches and possible outcomes of a security awareness and training program, no matter how it’s done, it all comes down to one thing: behavioral changes.

There are many businesses out there going through the motions of cybersecurity training, but they have little to show for it. Sure, the box is checked, but people are still clicking on malicious links, opening email attachments and falling for the same old tricks that social engineers have thrust upon us for decades. I see it in practically every security assessment project I work on. If a phishing message is convincing enough, upwards of half (sometimes more) of users I target open attachments, click links and provide their network login credentials when prompted. It’s a simple yet disturbing exploit and it’s happening all around the globe — your business included — every single day.

Find the Gaps in Your Security Awareness Program

With behavioral changes as a core component, is your security awareness program focused on the right things — the things that will help achieve your overarching purpose and goals? Or are you doing things that are moving you further away from where you need to be?

Are there blind spots in terms of technical controls? Perhaps you need to rethink your policies? There could be reputation or credibility issues that are keeping you from selling security to those who need it most. In-depth, unbiased and ongoing security assessments can uncover these things and lead to improvements. The problem is that security assessments are often not in-depth, unbiased or ongoing, so the security challenges perpetuate.

What gaps and opportunities exist in your security awareness and training initiatives? There are plenty if you take an honest look. Would forcing more mind-numbing classroom sessions or videos get more people on board with security? Or would a more creative approach such as having an outside professional trainer be better? Ask your users what they’d like to learn and how they’d like to learn it. There are a lot of smart people outside of IT and security circles who can provide great feedback, so it’s best to have them on your side. Look at this as starting with a clean slate and improving security at a grassroots level rather than from the top down.

There’s often a gap in expectations. If you were to ask random employees in your business if they could explain what’s expected of them in terms of computer and internet usage, could they tell you? Give it a try and see what you find out. While you’re at it, ask them how IT and security can make their jobs easier. You’ll hear some great ideas. Note those ideas and implement them. When people see that their ideas are being used, they’ll have buy-in and will work to make even more improvements across the organization.

Next, how are bad choices on the part of employees handled? Is it a simple email reminder? Perhaps a useless retake of a cybersecurity training module? Does a manager sit down and talk about what happened and how it needs to be handled differently? Or is it IT or security’s job to reprimand employees who make mistakes? That’s often what I see and it’s entirely the wrong approach. Security awareness and training is an HR/management function that IT and security professionals just happen to help facilitate.

Instead of it being a you-versus-them scenario, ensure that management and your security committee are involved in the process. As strange as it may seem, adult employees are not all that different from young children when it comes to being disciplined. Rather than being scolded and embarrassed, if they’re to learn from their mistakes, they need to hear why they shouldn’t have done what they did (its impact on the business) and how they can better handle things next time.

Make Necessary Changes Sooner Rather Than Later

Whether it’s in business, your personal life or information security, you get what you focus on. Employees need to be set up for success. In an ideal world, this would mean they aren’t even provided the opportunity to make security decisions. Technical controls can help with this, but only to an extent. Eventually, employees will be presented with important security choices. Are your current awareness and training efforts going to lead them down the right path? You’ll never know until you scrutinize what you do.

Recognize that a core outcome of security awareness and training efforts needs to be changing behaviors. Get the right people involved to set expectations and then do what it takes to hit the target today — and keep hitting it over time. It’s the same old approach to minimizing employee-related security risks, but it’s the one that works.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…