One of the biggest missed opportunities in cybersecurity training is ticking the compliance box to cover your entire organization’s cybersecurity training or focusing on one month only and neglecting it the rest of the year.
In situations like these, it’s like studying for a college exam and highlighting the whole entire textbook. When everything is a priority, nothing is a priority. When it comes down to the wire, this can lead to serious vulnerabilities.
Reason 1: Boring Compliance-Based Training Doesn't Work
It’s as simple as that. Human Risk Management is about informing, empowering, and engaging individuals to be at the helm of their own active security choices, and quite frankly, people aren’t motivated to do any of that if the compelling force is pushing them to do it or else. When the real threat behind you is more pressing than the potential threat in front of you, employees can’t learn, and don’t care. They may attend the training, check the boxes, and meet the compliance quota, but does that actually make change happen? We don’t think so. This is where so many businesses are at, and we believe that it can be so much better.
To break down why this doesn’t work, let’s reframe the whole concept.
- Instead of being boring, Human Risk Management should be interesting, intriguing, and, yes, even fun. For example, you can keep your team informed and engaged on how to proactively defend your organization from cyber attacks through an interactive online escape room over even a cybersecurity-themed late night talk show.
- Secondly, instead of being compliance-based, it should be about behavior change. As Omar Khawaja, a member of the Living Security CISO Advisory Board and CISO at Highmark Health said so well during our most recent Living Security Client Day event, “Awareness isn't the issue that we're trying to solve. We're trying to solve the behavior.” Your employees may know or have some passing familiarity with things like scams and phishing, but what do they do with that information?
- Even thinking of it as training has an opportunity for growth. What if it was a company culture, not just a one-day event? As Summer Craze Fowler, CIO of Argo AI, and member of our CISO Advisory Board, says, “security is ultimately a part of the fabric of your organization, a part of employees’ everyday experience, and something that everyone takes ownership of in their individual roles.”
Reason 2: Once-a-Month Training Doesn’t Work
It’s simply not effective to spend one frantic month cramming in all of the brain-numbing, punishment-heavy, point-and-click training just to check a box somewhere that says you did it—and data agrees.
If the goal is about changing behavior, then the best and most effective way to truly change behavior is to integrate those opportunities for learning and growth in an organic way. There’s no Olympian on the planet who only trains for one week out of the year, calls it good, and hopes for the gold. There’s no way you’d trust your surgeon if she walked in and told you that she’d crammed for your upcoming transplant surgery and was just hoping things would figure themselves out on the operating table. We can do better.
Instead, Security Program Owners can and should provide unique training content every month. Unify, Living Security’s Human Risk Management solution, makes every month awareness month, and means you can not only respond to real-time metrics with appropriate training opportunities, but also leverage real-time events as teachable moments for your whole organization.
Reason 3: Inflexible & Outdated Training Doesn’t Work
Sometimes, a classic is a classic for a reason, but in this case, "the way it’s always been done" isn’t good enough.
If compliance-based training had been working in the last 10 years, we would’ve seen the percentage of cybersecurity incidents involving humans go down, but it hasn’t. Security awareness training is an important part of the conversation, but it’s just not enough. There has to be more, your training program should be about the why that drives the how.
- Why are individual employees contributing to overall company risk?
- What actions are they taking, or not taking, that’s putting the company in danger?
- Where are the vulnerabilities weaknesses and opportunities for behavior change?
- How do we keep the content fresh and topical? This 12 month calendar can help
Reframing the question to be about the results you want and the behaviors it will take to get there means that security training for your company isn’t about prepackaged training modules that are likely to already be out of date. It’s about of-the-minute observations and insights that can drive behavior change. Plus, by focusing on these particular activities and taking action accordingly, you can more effectively prove the ROI of your security program.
We’re honored to have recently been named a leader Security Awareness & Training in the Forrester Wave report, and we believe that Living Security truly is leading the way in the areas where it matters most: doing more than just pay lip service to awareness, behavior, and culture changes in order to reduce human risk; providing meaningful security culture metrics that truly improve training, behavior, and outcomes; and offering innovative solutions that disrupt the future of SA&T in all the right ways. As the report says, “You need a different way to manage human risk, not better ways to train people.” We absolutely agree.
Check out the full Forrester Wave report here to learn more about why Living Security is a leader in Human Risk Management.