October 19, 2017 By Kevin Beaver 3 min read

If you ask a group of technology and business professionals to rank the most important parts of their security program, awareness and training will undoubtedly land in the top three. After all, many breaches start with users and, on the flip side, can be prevented by users. It’s all about setting expectations. Unfortunately, many such attempts fall flat, and security training is just another checkbox in a weak, compliance-based security program. People are going through the motions, but it’s mostly for show.

The biggest problem with security awareness and training programs is that they’re usually completely boring. In this case, boring means ineffective. The last thing an employee wants to hear is someone on the IT or security team — or just as bad, a random stranger in a video training program — wax poetic about how important security is to the organization.

Use strong passwords. Change them every 30 days. Do this, don’t do that … blah, blah, blah. They’ve heard it all. And frankly, it stinks.

Why Security Awareness Training Stinks

I’ll bet if you could have candid discussions with your users about your security awareness and training program, they would probably all say things like:

  • It’s boring.
  • It covers stuff that I already know.
  • They talk to me as if I’m stupid.
  • It’s a waste of my time.

Why do employees feel this way? By and large, there are a lot of IT and security people in charge. They often blindly create security training content under the assumption that people will listen and care just because it’s coming from them. That couldn’t be further from the truth. Ditto for the human resources staff. There are people working in HR departments who couldn’t put together a 10-minute security training session if their life depended on it. This tactless approach to security awareness and training is taking place in many organizations, both large and small, across all industries. And we wonder why we keep getting hit.

The Funny Business of Security Education

To pique people’s interest in security, IT professionals have to make security training entertaining. This is a simple but important reality you cannot afford to overlook. Make your security awareness and training funny — that’s all there is to it. This even applies to the same old boring content that everybody knows about and is tired of hearing. If you make it funny, they will tune in and remember it. Your users will associate this or that joke with this or that security behavior.

Think about some of the skits and one-liners from iconic shows such as “Saturday Night Live” and “Seinfeld.” They’re ingrained into our minds. If you take a similar approach, your users will look forward to their next training session and buy into security like you’ve never seen before. They’ll be asking when new content is coming out because they want to be entertained.

I know not everyone is a comedian, especially those of us in IT and security, but you don’t have to be. There’s a solution: outsourcing. Hire someone who can write good material for you. I’d be willing to bet that there are hundreds, if not thousands, of people online that can take boring old IT and security content, put their own comedic twist on it and send it back to you in a format that will help make you successful. You could even bring someone in to do that type of training for you. You could also purchase content that has already been developed.

Be As Creative As Your Enemies

Your security program revolves around your users, and the level of security cognition among them comes down to the quality of your material. You may be spending tens or even hundreds of thousands of dollars on technical security controls and services each year. Why wouldn’t you spend the necessary amount to have good awareness and training content?

You’re in control here as an IT or security professional, and you have a grand responsibility on your shoulders. Don’t take the easy route or assume that you can just throw some material out there every six to 12 months and it will stick. Be creative. The adversaries working against us around the clock are super imaginative. If you’re going to play at their level, you have to be the same way.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today