October 19, 2017 By Kevin Beaver 3 min read

If you ask a group of technology and business professionals to rank the most important parts of their security program, awareness and training will undoubtedly land in the top three. After all, many breaches start with users and, on the flip side, can be prevented by users. It’s all about setting expectations. Unfortunately, many such attempts fall flat, and security training is just another checkbox in a weak, compliance-based security program. People are going through the motions, but it’s mostly for show.

The biggest problem with security awareness and training programs is that they’re usually completely boring. In this case, boring means ineffective. The last thing an employee wants to hear is someone on the IT or security team — or just as bad, a random stranger in a video training program — wax poetic about how important security is to the organization.

Use strong passwords. Change them every 30 days. Do this, don’t do that … blah, blah, blah. They’ve heard it all. And frankly, it stinks.

Why Security Awareness Training Stinks

I’ll bet if you could have candid discussions with your users about your security awareness and training program, they would probably all say things like:

  • It’s boring.
  • It covers stuff that I already know.
  • They talk to me as if I’m stupid.
  • It’s a waste of my time.

Why do employees feel this way? By and large, there are a lot of IT and security people in charge. They often blindly create security training content under the assumption that people will listen and care just because it’s coming from them. That couldn’t be further from the truth. Ditto for the human resources staff. There are people working in HR departments who couldn’t put together a 10-minute security training session if their life depended on it. This tactless approach to security awareness and training is taking place in many organizations, both large and small, across all industries. And we wonder why we keep getting hit.

The Funny Business of Security Education

To pique people’s interest in security, IT professionals have to make security training entertaining. This is a simple but important reality you cannot afford to overlook. Make your security awareness and training funny — that’s all there is to it. This even applies to the same old boring content that everybody knows about and is tired of hearing. If you make it funny, they will tune in and remember it. Your users will associate this or that joke with this or that security behavior.

Think about some of the skits and one-liners from iconic shows such as “Saturday Night Live” and “Seinfeld.” They’re ingrained into our minds. If you take a similar approach, your users will look forward to their next training session and buy into security like you’ve never seen before. They’ll be asking when new content is coming out because they want to be entertained.

I know not everyone is a comedian, especially those of us in IT and security, but you don’t have to be. There’s a solution: outsourcing. Hire someone who can write good material for you. I’d be willing to bet that there are hundreds, if not thousands, of people online that can take boring old IT and security content, put their own comedic twist on it and send it back to you in a format that will help make you successful. You could even bring someone in to do that type of training for you. You could also purchase content that has already been developed.

Be As Creative As Your Enemies

Your security program revolves around your users, and the level of security cognition among them comes down to the quality of your material. You may be spending tens or even hundreds of thousands of dollars on technical security controls and services each year. Why wouldn’t you spend the necessary amount to have good awareness and training content?

You’re in control here as an IT or security professional, and you have a grand responsibility on your shoulders. Don’t take the easy route or assume that you can just throw some material out there every six to 12 months and it will stick. Be creative. The adversaries working against us around the clock are super imaginative. If you’re going to play at their level, you have to be the same way.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today