If you had to prove that your team was following security policies, would you be facing an uphill battle?
The point of security training is to educate the entire team so that they’ll make better decisions (or at least that’s the goal).
The problem with this approach to security training is that you may be treating it as a piece of your security platform, in other words just a tool. As a result, you may have no link to your actual policies. The training is one size fits all and you have no way to prove that you are consistently training them the way you are describing in your policies.
These training programs themselves aren’t bad. After all, your team can answer review questions upon completion, so you know they had at least one eye on the video and learned something.
However, your security training really needs to be a part of your security program, and NOT simply a security tool.
So, what are the 5 requirements for an effective security training program?
Requirement 1: Each video can be linked back to your security policies.
If you sign up your users for security training, shouldn’t it reinforce what your security policies say? The problem with many training solutions is they vaguely link back to your organization’s documented policies and procedures. This causes ambiguities as to whether your teams are consistently in line with your security program. Make sure that every training links back to and covers appropriate material based on your security policies so you can show that you are officially doing what you are committing to.
Requirement 2: Training is timely.
One and done training is no longer enough. If your team isn’t reminded regularly of their risks, they will forget everything. Think I’m kidding? Check the evening news and see what companies were hit today with cybersecurity attacks that could have been avoided. If your training program doesn’t have space for recurring training, then you’re potentially failing to truly protect your organization.
Requirement 3: Training is relevant.
Many platforms generate content for the sake of creating content. The question I want you to think about is whether that content is actually making your team safer. Unless you are confident in the type of content being relayed, you may just be checking a box when training your team without getting them to think about what they are doing. If your training doesn’t get them to think, it’s probably not relevant, or isn’t perceived as relevant.
Requirement 4: Training links back to your security controls.
Whether you know it or not, you likely have security controls in place within your organization. Controls are things to prevent security issues from popping up. They are ways you are preventing risk. By training on critical controls that are relevant to your organization, you can remediate a lot of problems.
For instance, if your team works in email all day, you probably want to make sure you have tools to prevent email-related attacks from happening. Maybe you prevent sensitive data from leaving your network. Maybe you indicate when emails are coming from outside of your organization in case someone tries to impersonate HR or Accounting. If you train on the controls you have in place, your team will understand why they are there and recognize when things don’t feel quite right.
Requirement 5: Training is actionable.
We always recommend having a short mission after training. That mission could be to lookout for a scam that is popping up or reevaluating a habit. Whatever the mission, it should help your team protect their personal and work identities.
Security training is definitely an important necessity to have at your workplace. If you do have training, that’s a great first step. However, I want to challenge you to make sure that your training aligns to your security program.
With just a few small tweaks, you might just elevate your security program to lots of big success.
