In honor of National Cybersecurity Awareness Month (CSAM), Dane Boyd, PhishLabs' Security Training Manager, and I will share a series of posts covering topics from cybersecurity to organizational learning and development. We are kicking off the series by covering a topic near and dear to my heart: taking a programmatic approach to implementing a security training program.
A fatal flaw committed by many organizations is just throwing training over the fence and crossing our fingers. We think that if the training is assigned, employees will take it, absorb it, and we will achieve our learning objectives. Such an approach is like, to borrow an analogy from another passion of mine, dropping oil into water. We need an emulsifier.
First things first: let's reframe how we consider security training. We are not checking a box for compliance. We are galvanizing our workforce into a human shield against cyber security and physical attacks. To improve the odds that you meet organizational objectives, focus on thoughtfully choosing a training program, pairing it with a captivating awareness campaign, and implementing effective reward and remediation strategy.
Choosing a Training Program
Before we get into implementing a training program, it is important to choose training that is designed for the way people learn. Training content designed with adult learning principles in mind will not only prove more effective but more engaging to your workforce.
Choosing the best training program isn't enough, though. It's critical that you understand how the organizational climate impacts training success. In a later blog post, we'll discuss this in detail.
Designing a Captivating Awareness Campaign
Creating a culture of security vigilance is tough to do when your employees are unaware of your efforts. Marketing the program using a cohesive awareness campaign helps keep your security goals top-of-mind for your workforce. A few key considerations:
- Choose a cohesive brand
- Include a mix of mediums
- Start marketing your program early
More specifically, use the same theme across your marketing materials will cement the program in the minds of your employees and helps them more readily recognize events, training assignments, and more. Then consider what is best to reach your workforce, what mix of digital and/or print media will give you the greatest reach. And finally, raise awareness, secure engagement, and strengthen program recognition before you expect your employees to participate.
Remember, the purpose of the campaign is to keep employees aware, not to share every piece of information in a single poster. Keep your message simple!
Implementing a Reward & Remediation Strategy
What drives your workforce to participate in security training or to practice good security hygiene? What keeps them accountable if they slip up? An effective reward and remediation strategy that fits within your organizational culture is critical to achieving your learning objectives. As every organization is different, there is no one-size-fits-all approach. Later this month, we'll cover this topic in detail.
I hope this post encourages you to implement a programmatic approach to increase the likelihood that your security awareness training is a success. Stay tuned all month long for our thoughts on choosing and implementing an effective training program, and exciting insights from Dane on real-time cyber threats!