Intelligence in CISO's Corner
Getty Images 1214633695

Practical Strategies to Enhance Your Organization’s Information Security Awareness and Training Program

Regardless of company size, industry or maturity level, all organizations share a similar risk – the possibility of human error. Human error means unintentional actions – or lack of action – by employees and users that cause, spread or allow security incidents to take place.

Much of human error results from end-users simply not knowing the right course of action in the first place. The mitigation of human error comes from two angles: reducing opportunity and educating users.

The Problem with ‘One Size Fits All’ Training Programs

When it comes to educating users, many companies implement simple awareness and training programs. A simple awareness and training program typically includes:

Trainings assigned to all personnel - related to critical policies issued by the organization, for example:

  • Code of Conduct training
  • Acceptable Use Policy training
  • Clear Desk Policy training

Trainings assigned to specific teams/ employees, depending on their day-to-day responsibilities, for example:

  • Secure coding best practices trainings, assigned to software engineering employees
  • Incident response training, assigned to the incident response team

Exercises to test the employees’ knowledge in real life, for example:

  • Simulated phishing campaigns

The problem with this type of approach is that different employees in an organization have different levels of knowledge when it comes to information security principles and best practices. A ‘one size fits all’ training program is not effective, especially when it comes to Information Security trainings.

Six Strategies to Mature Your Information Security Awareness and Training Program

Here are some effective strategies you can implement to mature your organization’s Information Security awareness and training program:

To ensure your organization has the desired training exercise coverage in place, complete the following assessments and identify potential gaps:

  • Assess regulatory requirements for trainings vs training exercises in place
  • Assess published information security policies vs complementary training exercises in place

Obtain an understanding of your audience: Conduct a risk assessment of your employees’ knowledge of various information security topics discussed in your organization's published policies, as well as information security best practices. This exercise will provide you with better insight into:

  • Who your high risk employees are – these employees should potentially take additional trainings
  • The areas which do or do not require additional coverage in terms of information security training exercises
  • The level of training coverage needed per policy or topic: Some topics and policies are straight forward and should only require annual sign off by the employees, while others are more detailed and require technical understanding to be followed accordingly

Consider which departments handle which data types: For example, if you are concerned about mitigating risk around sensitive patient health information, you could quickly identify which groups/ departments should take a specific training to address that risk

Design a training program that considers your resources and risk appetite: Depending on the size of your organization and given resources, the training program can be tailored to address risks on a company level, department level, or on an individual level

Determine appropriate training methods: It is widely known that different people learn in different ways. For your training program to be effective, training exercises must be engaging. Test out the effectiveness of different training methods on various audiences:

  • Video content
  • Interactive trainings (including quizzes to test out employees’ knowledge throughout the training)
  • Articles
  • Newsletters
  • Tabletop exercises

Conduct department specific exercises to test the employees’ knowledge in real life, for example:

  • Targeted phishing campaigns per department, considering suspicious emails that any given department may receive on an ongoing basis

The Bottom Line

An effective awareness and training program is a unique byproduct of each organization’s requirements, employees, resources, and risk apatite. Taking all variables into account when designing your awareness and training program will lead to its overall success.

Get more information on Cyber Awareness Transformation

Sign up to get Cyber Intelligence Weekly in your inbox.