Customizing Your Security Awareness Program

Security training can be an effective protection and detection measure, or just another training module for an employee to ignore and click through. Even if an organization is using pre-packaged security awareness training products, they can make the training more effective by customizing it to the organization. Here are some components you may consider when customizing your security program:

Industry or Organizational Threats

Organizations can use internal or external threat intelligence to help develop their security training. Those that do threat intelligence/hunting may consider recent or upcoming threats when choosing what to focus on. External threat intelligence can include reports tailored to your industry or function or a more comprehensive report like Verizon’s annual Data Breach Investigations report.

Breaking It Down

A group of power users in the IT department faces different security risks compared to a cashier at a point-of-sale terminal. An advantage of using modular training is that a central message can be delivered, accompanied by more specific training at higher or lower levels of skill, according to the needs of different functional areas, or for different risk levels.

Casual vs. Formal Culture

It’s important to make security training “fit” within an organization’s culture. More casual organizations may benefit from memes or “gamification”. Banks and government organizations are likely to have a formal culture that accepts more standard training formats. Another example of adapting the training to an organization’s culture includes aligning the training with its shared mission to motivate employees.

Compliance Requirements

Government- or industry-required compliance requirements, like HIPAA and PCI-DSS, may drive some of the content of your training program, as well as the metrics and frequency.