October 19, 2017 By Kevin Beaver 3 min read

If you ask a group of technology and business professionals to rank the most important parts of their security program, awareness and training will undoubtedly land in the top three. After all, many breaches start with users and, on the flip side, can be prevented by users. It’s all about setting expectations. Unfortunately, many such attempts fall flat, and security training is just another checkbox in a weak, compliance-based security program. People are going through the motions, but it’s mostly for show.

The biggest problem with security awareness and training programs is that they’re usually completely boring. In this case, boring means ineffective. The last thing an employee wants to hear is someone on the IT or security team — or just as bad, a random stranger in a video training program — wax poetic about how important security is to the organization.

Use strong passwords. Change them every 30 days. Do this, don’t do that … blah, blah, blah. They’ve heard it all. And frankly, it stinks.

Why Security Awareness Training Stinks

I’ll bet if you could have candid discussions with your users about your security awareness and training program, they would probably all say things like:

  • It’s boring.
  • It covers stuff that I already know.
  • They talk to me as if I’m stupid.
  • It’s a waste of my time.

Why do employees feel this way? By and large, there are a lot of IT and security people in charge. They often blindly create security training content under the assumption that people will listen and care just because it’s coming from them. That couldn’t be further from the truth. Ditto for the human resources staff. There are people working in HR departments who couldn’t put together a 10-minute security training session if their life depended on it. This tactless approach to security awareness and training is taking place in many organizations, both large and small, across all industries. And we wonder why we keep getting hit.

The Funny Business of Security Education

To pique people’s interest in security, IT professionals have to make security training entertaining. This is a simple but important reality you cannot afford to overlook. Make your security awareness and training funny — that’s all there is to it. This even applies to the same old boring content that everybody knows about and is tired of hearing. If you make it funny, they will tune in and remember it. Your users will associate this or that joke with this or that security behavior.

Think about some of the skits and one-liners from iconic shows such as “Saturday Night Live” and “Seinfeld.” They’re ingrained into our minds. If you take a similar approach, your users will look forward to their next training session and buy into security like you’ve never seen before. They’ll be asking when new content is coming out because they want to be entertained.

I know not everyone is a comedian, especially those of us in IT and security, but you don’t have to be. There’s a solution: outsourcing. Hire someone who can write good material for you. I’d be willing to bet that there are hundreds, if not thousands, of people online that can take boring old IT and security content, put their own comedic twist on it and send it back to you in a format that will help make you successful. You could even bring someone in to do that type of training for you. You could also purchase content that has already been developed.

Be As Creative As Your Enemies

Your security program revolves around your users, and the level of security cognition among them comes down to the quality of your material. You may be spending tens or even hundreds of thousands of dollars on technical security controls and services each year. Why wouldn’t you spend the necessary amount to have good awareness and training content?

You’re in control here as an IT or security professional, and you have a grand responsibility on your shoulders. Don’t take the easy route or assume that you can just throw some material out there every six to 12 months and it will stick. Be creative. The adversaries working against us around the clock are super imaginative. If you’re going to play at their level, you have to be the same way.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today