Expert Interview: How to Launch an Effective Security Awareness Training Program
Bryce Austin of TCE Strategy is a CISM-certified cybersecurity authority and internationally recognized professional speaker. In this Q&A, we sat down with Bryce to discuss security awareness training strategies and best practices that other infosec leaders can apply to their own training programs.
Many infosec leaders struggle to capture buy-in for security awareness initiatives. What advice can you share with others to help overcome this challenge?
Austin: Any awareness training program must be real and relatable — it can’t exist in a vacuum. Teaching cybersecurity from an academic standpoint is pointless. You must use real-world examples to show how your employees’ personal lives can be affected by cyber threats, and also how they can be improved through cyber-secure behavior. You then must link those same benefits to the business. This approach will ground security awareness lessons in their hearts, as well as their heads.
How do you engage executive teams in security awareness training program development, as well as encourage their participation in the training?
Austin: The best way to engage executive-level teams in security awareness training is to translate the risk of human error from phishing and other threats into tangible business risk. I like to discuss relatable impacts from breaches, like the 25% stock devaluation that happened at Equifax following their 2017 breach. There are several CEOs who have experienced “resume-generating events” as a result of a cybersecurity incident — these types of examples will get your executive team’s attention.
Executives are especially focused on these two areas:
- The bottom line of their company
- The trajectory of their careers
When you place cybersecurity threats in the context of business or career risk, executives are much more likely to support security awareness training initiatives at their organizations.
In terms of getting executives to complete training themselves, it’s important for us to reinforce the idea that company culture starts with the executive team. Executives have more impact on the mindsets of their employees than anyone else in the company. If they don’t complete the training, no one else will.
How can you ensure your training program meets compliance requirements?
Austin: Security awareness training compliance requirements vary widely from industry-to-industry and country-to-country. It is not one-size-fits-all. The goal is the same, but the methodology used to achieve compliance can be completely different.
You must do one of two things:
- Hire outside expertise to interpret compliance needs and establish a security awareness training program to meet those needs.
- Have an internal compliance team dedicated to disseminating training needs and creating a compliant training program suitable for your company.
You must treat this process the same way you would treat any other compliance audit. I advise my clients to fully understand what the real risks of non-compliance are and how much risk exposure they have.
What training frequency do you recommend?
Austin: I’ve seen many companies do awareness training annually — do not do this. Security awareness training must be ongoing and continuous. If possible, there should be at least one event a week. This can be a planned phishing campaign, a USB attack or a staged insider attack. And then we must educate users what to do if they see a suspicious email or other threat.
How targeted should training be (by employee level, role, etc.)? Does targeting training improve effectiveness?
Austin: A lot of security awareness training is identical regardless of role. Knowing what a phishing email looks like is something everyone needs to understand. The same applies to USB drives in the parking lot or other physical security best practices.
I like to target training by level of system access. This usually falls into two categories:
- Access to sensitive data: Do they have access to big chunks of sensitive data? If so, that user must receive rigorous training regardless of role.
- Access to money: Do they have the ability to initiate wire transfers for ACH? Those people are being spearphished directly and actively. They need a much higher level of training as well.
How should security awareness training be delivered?
Austin: Security awareness training must follow a multifaceted approach and become a part of company culture. I recommend involving the marketing team to build excitement about secure behavior and help sell it internally.
Everyone has different learning styles, which requires a diverse approach. Here are a few different tactics to consider using in your next training campaign:
- Gamification and incentives (gift cards for reported emails)
- In-person presentations and kick-off events
- Computer-based simulations
How do you track end-user behavioral changes over time?
Austin: My preferred Key Performance Indicator (KPI) is the number of reported potential cybersecurity incidents per employee, over a set period of time. These include reported phishing emails and fraudulent wire transfer requests. If that number increases, your program is working.
If you have more than 1,000 employees and you can’t track the number of reported incidents per month by the dozens, something is wrong.
What impact has security awareness training had on your clients’ organizations? What are the benefits?
Austin: Security awareness training is one of the foundations of a strong security program — its value cannot be overestimated. I have seen companies not only have fewer breaches as a result of a cybersecurity program, but also lower loss rates on company-owned laptops and smartphones. Security awareness training teaches people how to care for and protect their devices. Not leaving them in their car is part of the training. I’ve also seen clients detect problems in process before they become actual problems.
Any final advice for our readers?
Austin: A good security awareness training program can make your job as a technologist much easier. It’s a small investment that can return dividends.
For example, a well-developed training program can help you justify your budget requests. When the CEO understands the risks of things like ransomware, you’re much more likely to receive support for purchases intended as a countermeasure, e.g., establishing a physical backup system. Security awareness training will pre-sell the need for your cybersecurity budget requests.
About Bryce Austin
Bryce Austin started his technology career on a Commodore 64 computer and a cassette tape drive. Today he is a leading voice on emerging technology and cybersecurity issues. Bryce holds a CISM certification and is known as a cybersecurity authority and internationally recognized professional speaker. With over 10 years of experience as a Chief Information Officer and Chief Information Security Officer, Bryce actively advises the boards of companies in a diverse array of industries. He was the CIO and CISO of Wells Fargo Business Payroll Services, and a Senior Group Manager at Target Corporation. He has first-hand experience of what happens to a business and its employees during a cybersecurity crisis, as it did to Target because of their 2013/2014 PCI data breach. His best-selling book, Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives, is available at Barnes & Noble, on Amazon, and on e-readers everywhere.