July 9th, 2021 Read Time: 6 minutes
Nick Santora (CISA, CISSP) is the CEO and founder of Curricula and on a mission to make security awareness training fun so employees can actually defend against cyber attacks.
Subscribe to our blog and stay up to date
Throughout my career as a cybersecurity advisor, I’ve had the privilege to experience hundreds of cybersecurity programs. Most of these programs have been driven by compliance regulations that forced the organization to focus on compliance over security.
As part of one of these regulations, security awareness training seems to always play a part. Although the security awareness requirements are vague, that doesn’t mean we try to focus on just checking the box. Afterall, security awareness is designed to make your employees more secure when dealing with real-world cyber attacks.
Here at Curricula, we interact with hundreds of organizations every week to learn more about how to improve their cyber security awareness training programs.
In this post, I’m going to share what we’ve seen as the top 5 common mistakes when implementing an employee cyber security training program.
Consistency matters when it comes to security awareness training. When employees come to take training, there are certain things they expect to be consistent. Take for example if Coca-Cola decided to sell shoes. Would be kind of weird right?
Consistency in your company and brand matter, and consistency internally matters just as much to your employees. You want them to feel comfortable any time they come into online training so they know what is expected of them and what their outcome will be. You wouldn’t show up to vacation without luggage, a bathing suit, or hotel.
Don’t leave your employees guessing on where to take their security awareness training. The goal is to give them a safe place to take their training, something they’re familiar with, so they understand how to log in, what the training will look like, and can enjoy their learning experience.
Timing is also part of this equation. Dumping dozens of training modules on employees in December, during their new hire orientation, or at the beginning of the year is not a great start. It is overwhelming and ineffective.
Instead create an editorial calendar of training that can spread out knowledge throughout the year. Keeping a consistent training schedule helps you diversify learning throughout the year while keeping employees actively learning and building a culture around security.
Completing training to check the box for compliance requirements doesn’t mean you’re consistently and intentionally training your employees to be secure.
Most business decisions are driven by compliance. Although we have to be compliant, that doesn’t mean we can’t focus on security as well. As your organization is approaching compliance for SOC 2, ISO 27001, or any other regulatory framework, you have to recognize that compliance does not necessarily equal security.
Traditionally, you’re forcing your employees to quickly run through security awareness training to check that box off for them. While this is great for compliance, you’re force-feeding them information that they’ll forget quickly after.
Instead of taking the compliance-driven approach to security awareness training, focus on the employee learning experience. This means periodically releasing new content throughout the year focused on different topics related to security. By using this bite-sized approach, employees are constantly engaged with security throughout the year without overwhelming them with too much content. This is important because you want them to actually learn rather than just go through the motions.
Know your audience. For example, if you start delivering training to your employees with a bunch of technical security terms, concepts, and details there is the potential they’ll instead be overwhelmed with the complexity.
Typically, security training falls on the CTO, IT, or engineering leader to teach their employees about security. While this seems like the right fit, those technical conversations aren’t always translating to your employees.
Technical terms are okay to introduce, but ensure they are clearly explained when doing so. Otherwise, you will be leaving your employees lost when learning new subjects. When an employee starts getting lost in their online training, you will see engagement and results deteriorate over time as they lose confidence in themselves and their online training.
Although you might want to write down every possible technical word, definition, scenario, and example you can think of, realize they won’t be remembered by anyone. Instead, take the most important concepts out of what you are trying to teach and break them down into smaller, more easy-to-understand components.
Putting together a security awareness training program is the primary goal, but it’s important to be cognizant of how you are collecting feedback from your employees. If it always feels like a one-way street of communication, that’s not ideal. It’s critical to set up informal discussions with employees to learn about what they are struggling with and how you can help them learn about these important security topics.
This is often overlooked because we tend to focus on employee training as a compliance exercise. Creating content, delivering it, and then simply checking the box that it’s done is not how you build a culture of security to truly keep your organization safe.
Instead, we should focus on delivering security awareness content that supports employees to keep them (and your company) safe. Their feedback is critical to know what is working and what is not. You can find out what they like and what they don’t like. This will make your security awareness program stronger and more effective than just checking the box for compliance.
If your security awareness training is made up with dozens of ‘Death By PowerPoint’ slides, you need to start over. Not only is that time wasted developing your slides, but this won’t be effective in protecting against a cyber attack targeted at your company.
Although the topic of cybersecurity is serious in nature, that doesn’t mean it can’t be fun to learn about. Boring security awareness programs cause breaches. It’s our fault if employees aren’t engaged. We have to bring a program to life so employees actually learn how to defend themselves.
Make it fun. At Curricula, we designed this world of heroes and villains, and you can learn about all sorts of security topics that might have been dry vocabulary words on a slide. But through storytelling, we bring employees along on this mission so they’re learning and enjoying being on the adventure as well.
See for yourself. Check out one of our animated episodes, test our phishing simulator, and learn more about how you can level up your security awareness training.
Check out Electric and Curricula's webinar The Top Cyber Threats in 2021: Security Awareness Training to learn more about emerging cyber threats and how to protect yourself against them. Watch Now.