If you ask a group of technology and business professionals to rank the most important parts of their security program, awareness and training will undoubtedly land in the top three. After all, many breaches start with users and, on the flip side, can be prevented by users. It’s all about setting expectations. Unfortunately, many such attempts fall flat, and security training is just another checkbox in a weak, compliance-based security program. People are going through the motions, but it’s mostly for show.

The biggest problem with security awareness and training programs is that they’re usually completely boring. In this case, boring means ineffective. The last thing an employee wants to hear is someone on the IT or security team — or just as bad, a random stranger in a video training program — wax poetic about how important security is to the organization.

Use strong passwords. Change them every 30 days. Do this, don’t do that … blah, blah, blah. They’ve heard it all. And frankly, it stinks.

Why Security Awareness Training Stinks

I’ll bet if you could have candid discussions with your users about your security awareness and training program, they would probably all say things like:

  • It’s boring.
  • It covers stuff that I already know.
  • They talk to me as if I’m stupid.
  • It’s a waste of my time.

Why do employees feel this way? By and large, there are a lot of IT and security people in charge. They often blindly create security training content under the assumption that people will listen and care just because it’s coming from them. That couldn’t be further from the truth. Ditto for the human resources staff. There are people working in HR departments who couldn’t put together a 10-minute security training session if their life depended on it. This tactless approach to security awareness and training is taking place in many organizations, both large and small, across all industries. And we wonder why we keep getting hit.

The Funny Business of Security Education

To pique people’s interest in security, IT professionals have to make security training entertaining. This is a simple but important reality you cannot afford to overlook. Make your security awareness and training funny — that’s all there is to it. This even applies to the same old boring content that everybody knows about and is tired of hearing. If you make it funny, they will tune in and remember it. Your users will associate this or that joke with this or that security behavior.

Think about some of the skits and one-liners from iconic shows such as “Saturday Night Live” and “Seinfeld.” They’re ingrained into our minds. If you take a similar approach, your users will look forward to their next training session and buy into security like you’ve never seen before. They’ll be asking when new content is coming out because they want to be entertained.

I know not everyone is a comedian, especially those of us in IT and security, but you don’t have to be. There’s a solution: outsourcing. Hire someone who can write good material for you. I’d be willing to bet that there are hundreds, if not thousands, of people online that can take boring old IT and security content, put their own comedic twist on it and send it back to you in a format that will help make you successful. You could even bring someone in to do that type of training for you. You could also purchase content that has already been developed.

Be As Creative As Your Enemies

Your security program revolves around your users, and the level of security cognition among them comes down to the quality of your material. You may be spending tens or even hundreds of thousands of dollars on technical security controls and services each year. Why wouldn’t you spend the necessary amount to have good awareness and training content?

You’re in control here as an IT or security professional, and you have a grand responsibility on your shoulders. Don’t take the easy route or assume that you can just throw some material out there every six to 12 months and it will stick. Be creative. The adversaries working against us around the clock are super imaginative. If you’re going to play at their level, you have to be the same way.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…