Light Dark
April 12, 2018 By Mark Stone 4 min read
CISO
Data Protection
Risk Management

Ask security professionals about the effectiveness of security awareness training, and you’re bound to get a wide range of answers. But regardless of the state of your company’s training program, keeping your employees educated about cybersecurity is an absolute must given the volatility and sophistication of today’s threat landscape.

If you have a well-oiled training machine, what can you do to keep it up to date in 2018? And if you don’t, where do you even start?

Fighting an Uphill Battle

The threat landscape has changed significantly since my time developing security awareness training for the government in the mid-2000s. Yet despite all the changes the security world has undergone since then, employees are still the first line of defense when it comes to mitigating risk. The more things change, the more they stay the same, so to speak.

During the last year I spent running a security awareness program, our security team had to ensure that almost 2,000 employees spread out among multiple locations took part in mandatory classes. We did everything we could to walk the fine line between hard-line policy and a lighthearted, interactive learning environment. While that tactic worked with certain individuals, it didn’t generate the desired results.

One of my takeaways from the experience was that the effectiveness of training programs varied by location. Employees who worked out of head office were more likely to adhere to policies and security practices than those in remote locations. Since the IT and security department was located at the main office, perhaps employees felt a greater imperative to be more mindful. For smaller companies with only one location, I can see enforcement being slightly easier. But for larger organizations, I believe the risk is multiplied because of sheer numbers.

Nonetheless, it’s clear that employees view security as a hindrance to their productivity. What can we do to get employees to adopt a more active role in protecting company assets?

The Case for Going All-In

Seattle-based beverage company Talking Rain is a great example of a company with a security awareness program that actually works. Using innovative online security training, employees take part in a 15-minute security awareness program every month.

Gina Harris, the company’s IT director, told me that the program is so well-received that employees actually tell others about it. “Employees are always accountable for being our first line of defense,” she said. “They love the Wombat training and often want to share the modules with their families.”

The company even posts inserts inside bathroom door stalls so employees can read about the program, and it issues awards to those who score 100 percent on the training. On the other hand, those who don’t complete their training will hear from HR.

Another component of Talking Rain’s security program scrutinizes employees’ knowledge of security basics using real-world scenarios. For example, the company sent phony phishing emails to determine whether employees would catch on to the scam or take the bait. Before long, users began regularly reporting malicious emails to the IT department.

Talking Rain also enjoys complete support and buy-in from the C-suite and the board. By pitching an effective security awareness program to top executives as if it were a “Shark Tank”-style presentation, Harris was able to communicate how employee education positively affects the bottom line.

Fostering a Culture of Security

Having discussed this topic with experts for many years now, it’s clear that a strong security culture breeds better employee engagement. That must come from the top down.

Srinivas Vemula, director for Open Source Practice and technical consultant for SenecaGlobal, said he has seen positive results when the C-suite is involved in the risk mitigation and threat categorization process — a critical precursor to any form of security awareness training. In one particular example, he pointed to a powerful team-building exercise in which executives split up into red and blue teams. In this gamified environment, one group performed a denial-of-service (DOS) attack on the Domain Name System (DNS) server while the other detailed how the company would defend against it. “These unconventional exercises will expose a company’s blind spots and are a great part of any security awareness program,” Vemula noted.

Still not convinced that cybersecurity training can help your company’s bottom line and improve its defenses? Perhaps you’ll be swayed by Gregory Touhill, author of “Cybersecurity for Executives” and the very first chief information security officer (CISO) of the U.S. as part of the Obama administration.

In an interview for BankInfoSecurity, Touhill recalled a conversation with a congressman who asked him how he would spend any extra dollars on cybersecurity. “I told him I would spend it on better training my people,” he said. “I find a very well-trained, well-informed workforce is better prepared to help an organization buy down their cyber risk. Everybody has a stake in cybersecurity and I would contend everyone is on cyber front lines. That training needs to be tailored and continuous for the entire workforce.”

Getting Started With Security Awareness Training

I sympathize with anyone responsible for developing, leading, teaching or having anything to do with security awareness training. As enjoyable as it was to passionately convey the importance of security to others, the frustration of seeing your hard work go unrecognized was palpable. The general consensus among our team was that we were fighting an uphill battle.

It doesn’t have to be like that. While you may be struggling to promote security awareness, I’ve talked to many experts who have been successful. If I could go back and do it all over again, I’d try even harder and use all the tools available to make the road to employee enlightenment as smooth as possible.

Unsure where to begin? The National Institute of Standards and Technology (NIST) published a great framework to help prod you in the right direction. But don’t be afraid to stray from conventional training methods. In my experience, these seem to be more effective than not.

At the end of the day, you must do whatever you can to educate employees about security risks. Failing to do so means leaving cracks in your first line of defense against cyberthreats — cracks that will only become harder to patch up as the threat landscape continues to rapidly evolve.

 |  |  |  |  |  |  | 
Mark Stone

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature