A security awareness program is a critical part of any security strategy. It is not enough to simply hold everyone in the organization accountable. Chief information security officers (CISOs) must first train employees to practice proactive, conscientious security behaviors by convincing them that security affects them directly, not just the business.

Building Better Cybersecurity Instincts

While most people practice cybersecurity as a self-preservation instinct at home, they often take it for granted at work. This disconnect can be boiled down to ownership: People rigorously protect their prized possessions at home, but business assets feel like somebody else’s property and, therefore, somebody else’s problem. Security leaders charged with training employees must demonstrate how one weak link in the company can compromise everyone’s privacy, not to mention the business’s bottom line.

In most organizations, security awareness training is ongoing and constantly evolving to address new threats as they emerge. These threats affect all employees within an organization, not just the IT department, so training programs must be particularly robust for employees in marketing, legal, finance, HR and especially the C-suite.

When assessing the organization’s security awareness program, CISOs should ask the following questions:

  • Does the security policy address security awareness?
  • Do all functional departments enforce employee training and accountability requirements?
  • Does corporate governance address awareness and training across the organization?
  • What practices and technologies do employees use to detect a security breach?
  • Do employees know about the security policy?
  • Do employees know what to do if they discover a security violation?
  • Are executives and upper management embracing the awareness program?

As part of this assessment, the CISO should document the gaps and formulate an action plan accordingly. This starts with presenting a convincing business case to demonstrate the enormous benefits of a security awareness program to the C-suite and board of directors. Include examples of actual root causes mapped to the findings outlined in your assessment, and emphasize the potential damage of a user-inflicted security breach.

Collaboration Drives Greater Security Awareness

Input from disparate departments throughout the organization is crucial when formulating a security awareness program. Involving employees in the process is a great way to help them develop natural security instincts and understand the far-reaching impact of a seemingly isolated security weakness. It also helps the CISO deliver more personalized education and address concerns specific to those departments.

Documentation is equally important. Security leaders must outline the program’s objectives, define the security issues, determine how to address them and manage the implementation with milestones and metrics. They should also strive to make all training materials consistent in messaging and branding.

When employees help build a security awareness program, they are more likely to understand their integral role in safeguarding the organization’s data. Instead of resisting IT requirements, they will become advocates of security and think twice before opening suspicious attachments, reusing easy-to-guess passwords and neglecting to update outdated systems.

Put simply, the success of a security awareness program largely depends on how it is delivered. Cybersecurity training must be the domain of the CISO and other IT experts within the organization, not the HR department. Positive reinforcement, open communication and interdepartmental collaboration are the keys to spreading security awareness throughout the enterprise.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…