How to Develop a Security Awareness Training Program

Posted by Denmark Francisco
May 19, 2021

Share Article

If you’ve just stepped into a new role as a Security Awareness Program Owner, you may have big shoes to fill. Even if you’ve been in your role for some time now, you may be wondering how to create a better, more effective security program.

Whether you’re building an all-new security awareness initiative or looking to strengthen your current training, here are some core steps to developing an impressive program:

Gather all pre-existing resources about how cybersecurity was previously handled.

If you’re replacing a Security Awareness Program Owner, there are likely two scenarios. You’re being thrown into the middle of a fire— trying to improve (or at the very least continue the momentum of) an already formulated annual program. 

On the other side of the coin, you may be your company’s first-ever Security Awareness Program Owner and are tasked with the high-pressure job of creating a security awareness initiative from scratch. Either way, it’s crucial to do your homework.

Chat with IT and other important departments to understand the internal perception of the previous security awareness program (or just cybersecurity in general if there was never a formal program). Did employees dread the training— why? What parts did they like? If there was no training, are they aware of the company’s cybersecurity policies? Do they care?

While your team’s perception is no doubt important, don’t forget to look at the actual results or some key metrics of the security program’s past performance. What’s missing? What worked well and what kind of flopped? Make a list of areas that need help, as well as areas of strength that may inspire some ideas.

Identify company/employee limitations.

After chatting with your team and getting a broad picture of their past perception of the security awareness program, it’s time to identify roadblocks. What are the bottlenecks in the current initiative? 

Are employees not supporting your program because of a lack of understanding of the cybersecurity concepts? Is it a lack of time on their part? Are they overworked or not allocated a specific time for training? 

What about a lack of skills on your security team’s part? Perhaps deeper learning is required, pursuing certain certifications and keeping up with ever-changing technology. 

Do you have the resources you need to successfully drive your program? If you’re short-handed or don’t have the tools you need for tracking, etc., your security team can’t shine. Perhaps your previous security team was too close to their work to see what is missing or what just isn’t working. An outside perspective can go a long way to revealing powerful changes. 

Understand your security weaknesses at your starting baseline.

Create a culture where you’re not afraid to talk about what’s lacking in security preparedness. Only through identifying security weaknesses can you work to build them into strengths! 

While talking individually to departments sounds nice, it’s not always realistic given the size of some organizations. Instead, you may choose to send out team-specific surveys with tiny incentives for leaving their feedback. Or, you may run social engineering or other security tests/experiments to form a baseline for where your company stands. With this knowledge, you’ll know where you can improve and what education your teams need. 

Push a culture of support versus one of fear.

How is the culture around cybersecurity with your organization? Do employees loathe security training because they’re painted as “dumb” threats to your organization, ones who fall for phishing scams and are to blame for your security weaknesses? Similarly, is your team shamed for their low scores on security tests or badgered to complete training modules so much that your emails never get opened anymore?

If you create a culture of fear and guilt around your cybersecurity initiative, employees will not be engaged. Instead, engage their hearts and minds by praising them for their hard work in championing your security program and diligently protecting your organization.

Pick monthly security themes.

You have a lot you want to teach your teams, but how do you fit it all in? By setting up focused monthly “sprints!” Separate your awareness topics and think of all the supporting materials you have for that one theme. For instance, you may decide that August is Privacy Month internally, and curate educational content all around improving cyber privacy. 

This not only allows you to measure the effectiveness of specific campaigns, but it also gives your employees focus— reinforcing one subject over and over for a period of a few weeks to solidify learning and long-term retention. Learn more about selecting monthly themes for your cybersecurity initiative here.

Get buy-in from the C-Suite and top dogs.

No matter how much work you do to uncover the weaknesses within your company’s cybersecurity awareness training program, none of it matters if you can’t make the higher-level executives see the importance of funding your efforts for change. In order to make your improvements, it’s crucial that you earn buy-in from the executive team and your CISO, who will be the ones approving your budget and empowering you with the resources you need to succeed. 

In order to speak to the higher-ups, you need to position your pitch for your security awareness budget around things they care about— specifically to business enablement functions. Translation? Moving the needle on business growth. 

Learn more about how to earn buy-in for your initiative here. We’ve also got a great article with advice for talking budget with your CISO.

Choose the right training software.

To roll out your cybersecurity awareness training, you need content and a plan for tracking progress. Take a hard look at the interface you use now. Is training housed in a robust learning management system, one that captures insights on employee performance? Is it tracking all KPIs you wished it would? Can you use that data to prove ROI? 

Look at it from a user experience angle too. Is it easy for your team to use or pick up on later after a long period of inactivity? Some systems have built-in support tools for Security Awareness Program Owners like rewarding user’s special achievement badges or triggering emails after they pass a certain training module. 

Read more on integrating automation into your security training here.

Find a partner for support.

Let’s be frank— you’re juggling a lot! Sometimes you need an extra hand (or many!) to hit all your ambitious goals. The good news is, you don’t have to do it all alone, or even exclusively with an internal security team.

By partnering up with other security service providers, you can ease the burden of parts of your initiative. For instance, you may choose to work with a team for phishing testing, or another for content resource support exclusively. A prime example for supporting program owners like you is Campaign in a Box. It’s as simple as getting training resources with an easy “how-to-use-them” suggestion sheet and go-go-going!

Build a Culture of Heightened Security

With this advice, we hope you’re well on your way to developing a more effective, streamlined security awareness program.

Your security awareness training, however, is just one part of a larger picture of your human risk management. 

Curious to learn more about human risk management and some of its growing trends to improve your initiative? Download 7 Essential Trends Of Human Risk Management today!

Subscribe Now

Additional Reading