Security awareness training (SAT) can be thought of like a fitness program. Just as you would consider different exercises for your strength training or aerobic goals, there are many factors to consider when planning your SAT program each year — and your choices should reflect your organization’s current needs, goals and vulnerabilities. Whether you’re just starting a fitness program, (or a SAT program for your company) or you’re a veteran of annual planning, you should never stop thinking about what will sharpen and strengthen your training program from year to year.
In my recent webinar, I discussed “6 Critical Elements for a Successful Security Awareness Training Plan.” In this post, I’ll take a closer look at two of those considerations: aligning your program with your audience; and measuring your success.
Align Training to Your Users’ Needs
While a general cyber awareness course will benefit the entire organization, some members of your workforce will require more training, or different training, than others. Highly-specialized positions typically need in-depth, role-based training courses that speak to the particular challenges of their jobs. This is especially true for developers as they design the applications that will potentially come under attack. Training on concepts such as the OWASP Top 10 risks can help mitigate these threats. Whatever the roles may be, a security awareness program that provides specialized content will be more successful at creating and maintaining security organization-wide.
In any educational scenario, it’s important to gauge how much students are learning and how much they’re improving from year to year. Awareness training is no different, so you may want to determine:
- Which topics have been the most sticky?
- Does a particular type or style of course have more effect on users?
- Are there trickier subjects that users just need more exposure to?
Answering these questions will help you understand where your program currently stands and where it needs to go. But how to go about it? Assessments are key. Regular assessments not only allow you to adjust your program from year to year, but also to alter courseware or provide remedial training midway through the year, which could mean saving your users valuable time and strengthening weak spots before they cause a problem.
Mix it Up
As with any kind of education, variety is key. If your training load is looking heavy, consider mixing courses with gamified content and simulations for extra reinforcement. As an example, an anti-phishing course first gives users basic information and instruction, and the subsequent simulation enhances that knowledge by putting it to the (very realistic) test. Elements like games serve a similar purpose–they work to cement material by engaging different parts of the brain and reinforcing concepts through different pathways.
Coming back to our physical fitness metaphor, one session at the gym won’t yield lasting results, and neither will a single security awareness training course. To achieve meaningful outcomes, it will take a variety of exercises, repetition and a willingness to honestly measure progress. Listen to my recent webinar for more information on building your security awareness strength training program.
For ideas on how to strengthen and reinvigorate your annual program, please contact us. Our dedicated Solutions Architects would be more than happy to work with you.