Many organizations invest heavily in technical controls and staff to protect against information security incidents. There’s no replacement for that – but the human brain is amazing at detecting anomalous patterns. If an end user is well educated, they can serve as a “human sensor” to help protect against security attacks.
That’s why security awareness training and assessment is so important. Here are 5 tips to improve your organization’s security awareness culture, training, and assessment.
There are many ways to customize security awareness training to make it more relevant to your organization. The training can focus on the top threats in an industry, for an individual organization, or over a relevant time. Security staff can also customize training according to the organization’s culture – providing materials in multiple languages, or using materials that fit with a casual or formal business culture.
Keep it continuous.
It’s common to see organizations include security training in their onboarding process, and drift away from training as employees mature. This can have the effect of wearing away at skills, and also doesn’t allow for the protection of newer threats. It’s critical to refresh that training on at least a once-annual basis. It’s also more effective to provide small chunks of training or assessment on a more regular basis.
Make it manageable.
In the same theme as keeping training continuous, it can be more effective and engaging to spread smaller modules of training out over a longer period of time, rather than requiring one long training session. Developing security “modules” also allows for customizing the training to different departments or levels of skill.
Get buy-in from key players.
The most secure organizations have a “security culture” – everyone has ownership and perspective on the security of their team. That kind of culture comes from the top. The best security awareness programs have buy-in from top-level executives, who can encourage participation and provide context for the training. Security staff should also develop relationships with “security evangelists”, employees who can create change within their functional areas.
Measure your results.
There are two ways to measure security awareness training – participation, and impact. Security awareness training involvement and assessment scores are easily measurable, and can serve as a useful metric. A gap analysis can provide information on where your organization needs to improve its security. The results of this analysis can serve as a measure for improvement. After implementing a security awareness program, detection volume may increase, since incidents are more likely to be reported.