CISO April 12, 2018
By Mark Stone 4 min read

Ask security professionals about the effectiveness of security awareness training, and you’re bound to get a wide range of answers. But regardless of the state of your company’s training program, keeping your employees educated about cybersecurity is an absolute must given the volatility and sophistication of today’s threat landscape.

If you have a well-oiled training machine, what can you do to keep it up to date in 2018? And if you don’t, where do you even start?

Fighting an Uphill Battle

The threat landscape has changed significantly since my time developing security awareness training for the government in the mid-2000s. Yet despite all the changes the security world has undergone since then, employees are still the first line of defense when it comes to mitigating risk. The more things change, the more they stay the same, so to speak.

During the last year I spent running a security awareness program, our security team had to ensure that almost 2,000 employees spread out among multiple locations took part in mandatory classes. We did everything we could to walk the fine line between hard-line policy and a lighthearted, interactive learning environment. While that tactic worked with certain individuals, it didn’t generate the desired results.

One of my takeaways from the experience was that the effectiveness of training programs varied by location. Employees who worked out of head office were more likely to adhere to policies and security practices than those in remote locations. Since the IT and security department was located at the main office, perhaps employees felt a greater imperative to be more mindful. For smaller companies with only one location, I can see enforcement being slightly easier. But for larger organizations, I believe the risk is multiplied because of sheer numbers.

Nonetheless, it’s clear that employees view security as a hindrance to their productivity. What can we do to get employees to adopt a more active role in protecting company assets?

The Case for Going All-In

Seattle-based beverage company Talking Rain is a great example of a company with a security awareness program that actually works. Using innovative online security training, employees take part in a 15-minute security awareness program every month.

Gina Harris, the company’s IT director, told me that the program is so well-received that employees actually tell others about it. “Employees are always accountable for being our first line of defense,” she said. “They love the Wombat training and often want to share the modules with their families.”

The company even posts inserts inside bathroom door stalls so employees can read about the program, and it issues awards to those who score 100 percent on the training. On the other hand, those who don’t complete their training will hear from HR.

Another component of Talking Rain’s security program scrutinizes employees’ knowledge of security basics using real-world scenarios. For example, the company sent phony phishing emails to determine whether employees would catch on to the scam or take the bait. Before long, users began regularly reporting malicious emails to the IT department.

Talking Rain also enjoys complete support and buy-in from the C-suite and the board. By pitching an effective security awareness program to top executives as if it were a “Shark Tank”-style presentation, Harris was able to communicate how employee education positively affects the bottom line.

Fostering a Culture of Security

Having discussed this topic with experts for many years now, it’s clear that a strong security culture breeds better employee engagement. That must come from the top down.

Srinivas Vemula, director for Open Source Practice and technical consultant for SenecaGlobal, said he has seen positive results when the C-suite is involved in the risk mitigation and threat categorization process — a critical precursor to any form of security awareness training. In one particular example, he pointed to a powerful team-building exercise in which executives split up into red and blue teams. In this gamified environment, one group performed a denial-of-service (DOS) attack on the Domain Name System (DNS) server while the other detailed how the company would defend against it. “These unconventional exercises will expose a company’s blind spots and are a great part of any security awareness program,” Vemula noted.

Still not convinced that cybersecurity training can help your company’s bottom line and improve its defenses? Perhaps you’ll be swayed by Gregory Touhill, author of “Cybersecurity for Executives” and the very first chief information security officer (CISO) of the U.S. as part of the Obama administration.

In an interview for BankInfoSecurity, Touhill recalled a conversation with a congressman who asked him how he would spend any extra dollars on cybersecurity. “I told him I would spend it on better training my people,” he said. “I find a very well-trained, well-informed workforce is better prepared to help an organization buy down their cyber risk. Everybody has a stake in cybersecurity and I would contend everyone is on cyber front lines. That training needs to be tailored and continuous for the entire workforce.”

Getting Started With Security Awareness Training

I sympathize with anyone responsible for developing, leading, teaching or having anything to do with security awareness training. As enjoyable as it was to passionately convey the importance of security to others, the frustration of seeing your hard work go unrecognized was palpable. The general consensus among our team was that we were fighting an uphill battle.

It doesn’t have to be like that. While you may be struggling to promote security awareness, I’ve talked to many experts who have been successful. If I could go back and do it all over again, I’d try even harder and use all the tools available to make the road to employee enlightenment as smooth as possible.

Unsure where to begin? The National Institute of Standards and Technology (NIST) published a great framework to help prod you in the right direction. But don’t be afraid to stray from conventional training methods. In my experience, these seem to be more effective than not.

At the end of the day, you must do whatever you can to educate employees about security risks. Failing to do so means leaving cracks in your first line of defense against cyberthreats — cracks that will only become harder to patch up as the threat landscape continues to rapidly evolve.

 |  |  |  |  |  |  | 
Mark Stone

More from CISO
August 3, 2023

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

July 24, 2023

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

July 10, 2023

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

June 2, 2023

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature