By Jason Hoenich on Mar 25, 2019
If you’re looking for the secret sauce for building a culture of security and having employees who actually care about security, you’re going to want to write this down: Don’t blow your budget on a lousy automated training program.
Change doesn’t happen overnight, and it can’t be automated. Out-of-the-box turnkey security awareness training doesn’t deliver on your goals or your vision—they’re someone else’s idea of what makes sense, whether that’s quizzes or unnecessarily splashy graphics and GIFs.
Don’t be tempted by automation. And if you are, at least use our strategy guide to increase the chances your training program works for the long haul.
After all, security awareness training requires planning, collaboration, and communication. A quick-fix automated security awareness training program isn’t what your employees—or you—deserve, want, or even need, and here’s why.
OK, so your security team doesn’t have a designer on staff, and you probably don’t have a PhD in education, let alone the infrastructure to build an entire program from scratch. Although hiring a company that has quizzes and graphics and videos and all of the bells and whistles you think you need might be attractive, don’t be misled.
What most companies are selling you don’t actually need. You can be confident in simple, intentional training getting the job done, we promise.
It’s Not About the Vendor
A successful security awareness program is about more than just delivering amazing, dynamic, hilarious, and relevant training to your employees so they can adopt better security habits. It’s about:
- Setting goals
- Creating measurable objectives
- Helping repeat responders adopt better habits
- Building a culture of security
All of that? You can do that, no matter which partner or vendor you work with.
Build Your Security Awareness Training Program
Your goal is to build a program that identifies risky/non-ideal habits and replaces them with secure habits. Here’s what you need to do to craft that program, and we promise it won’t be as stressful as you probably think it will be—and it’ll feel a lot more fulfilling than buying some one-off training licenses.
Step 1: Get buy-in
You’ve got it! Everyone knows you need it. Now start planning. Just make sure you get everyone who needs to be involved in the process involved, including:
- Email team
- Help desk
Step 2: Set goals
Make clear goals and create measurable objectives for achieving those goals. Then, establish benchmarks for how you’re going to measure successes and relay those wins to everyone else, too.
Step 3: Strategize and define
For this step, make sure you have timelines and responsibilities fleshed out and that all stakeholders understand the “how” and “why” of your program. Also, if you’re including phishing simulations, be sure to define who your repeat responders are so you can monitor and guide them toward success—this is totally non-negotiable, by the way.
Who are repeat responders? They’re the people who respond to at least four phishing simulations. They’re not offenders, because they’re not offending anyone; they’re responding to the training, which is exactly what you want. Give your coworkers time to adapt and learn so you can work with repeat responders to change their habits for good.
Step 4: Set up your program
In addition to making sure all stakeholders know what’s happening, turning on a phishing reporting button, whitelisting certain domains, and creating an FAQ or wikis with security info Q&A, you might want to pull in a vendor to help out with the educational component.
We might be biased, but you should pull in a partner who can deliver hilariously relevant security videos and animated shorts. Find a partner you trust who gets your vision and knows how to deliver effective training content. Hey, that’s us!
Step 5: Publicize it!
Yes, a lot of out-of-the-box security awareness training programs promise amazing graphics and design deliverables to publicize what you’re doing to the company, but do you really need that?
Keep it simple to make your training more effective, more awesome, and just plain better. The simpler it is, the more transparent it will be, and the more trust you’ll gain from everyone who’s being touched by training. On that note, don’t call it training. People get weird about “training programs.” Don’t let it get weird.
Step 6: Launch your program
Now that you’ve got goals, a plan, and amusing—yet effective—training content in hand, you’re ready to launch your program to rousing success.
Make sure you track progress—especially for your repeat responders—as the program moves along. Follow up with regular check-ins and supporting sessions or tips via email, and create an ambassador program to take some of the weight off your shoulders, too.
Don’t just buy a security awareness training program—build it so it says and does what you want and need it to. Focus on your goals, not someone else’s.