Employee Training. PHOTO: Cybercrime Magazine

Security Awareness Training: Don’t Blame Your Employees

NCSAM is a time to reduce fear and fix your culture

Ashley Rose, CEO at Living Security

Austin, Texas – Oct. 12, 2020

Each October, enterprises across the country execute a flurry of well-orchestrated activities around cybersecurity. Many program owners relish the opportunity to flex their planning prowess, guiding thousands of employees through round after round of training sessions. They train on phishing, spear-phishing, whaling, vishing, smishing, and a few other -ings for good measure. And when it’s all said and done, the numbers are going to show tons of employees completed training and how they scored on assessments.

Unsurprisingly, the numbers look good; more employees participated than ever before and their scores went up. “They must be better prepared!” we tell ourselves; and we report metrics to our executives that we believe to support that statement.

Then the doubt creeps in. What if someone clicks on a phish next week? What if we get breached and end up as a headline in the news? Will IT get blamed for not blocking it? Will I take the fall for someone’s human error? Whose fault is it if something goes wrong? A hint of what we’ll talk about later — your security culture is a problem if fear of blame is pervasive in your org.

Ultimately, we question whether the flurry of NCSAM (National Cybersecurity Awareness Month) activity is actually enough to keep us safe. Will it work? Could we have done something different, better, new?

We question this because we know that security awareness training as most enterprises deliver it today is inherently broken. It comes from a place of good intentions with the tools we have at our disposal. Will it make the difference when it matters most, was it memorable? Was it memorable for the right reasons? Because an internal phishing test that uses employee bonuses as the bait isn’t going to win any prizes at the office.

Cybercrime TV: Ashley Rose, CEO at Living Security

Security Awareness Training is Broken

What tools did you have this October?

  • Slideware? I love a good slide presentation as much as the next person, but I honestly cannot recall a presentation I saw and was so impressed I told a colleague, friend, or family member about it.
  • Did your platform have a clever gimmick or tagline? Again, some are memorable but fail to be memorable for the right reasons. I can think of plenty of funny commercials, but I don’t remember half the products they were selling.
  • Did your platform introduce a goofy character or cartoon? At best they can hone in on a specific topic (think Captain Phishworth and his phunny phishing puns); and at worst, they turn off your audience and tune out the lessons that are trying to be taught.

We need something better. We need something that goes beyond a crash course of the same old cybersecurity training to a program that is engaging and memorable. We want to roll out training that people want to take — not have to take.

We want to change the security culture, and though we may feel it is a lonely road and a weight to bear without support, 73 percent of CISOs say security culture is their #1 hot topic (up from 64 percent in 2019).

But many organizations struggle, just look at some of the other stats that jumped off the page (across 14 different culture change activities):

  • only 12 percent had any competition between teams (think scoreboards/gamification)
  • only 33 percent had any role-based customization of training
  • and 47 percent (thankfully or perhaps frighteningly) had a proactive “report it” no-blame policy

Remember earlier when we talked about being afraid of who was going to take the blame — here’s a culture killer. If you’re not comfortable raising your hand about a problem or concern — this is where the cybercriminals thrive.

We know that NCSAM is our opportunity to shine, to show off our hard work, and contribute our best to raising the security awareness bar for our organization. This October, take a moment to first be proud of what you have accomplished. It’s a super-human task to manage thousands of employees through this yearly cybersecurity training marathon.

Next, take stock of what you’re measuring, and if you find that you’re unable to measure engagement and retention of knowledge gained, or if you are able to measure it, but find that employees aren’t retaining what they need — it’s time to evaluate a better platform. Use NCSAM as your measuring stick, see how the retention is a month from now, three months from now. If your platform has micro-learning modules that provide reinforcement, use them to help boost retention.

If it’s time for a fresh approach, look for a platform that provides a unified approach to cybersecurity training; engaging, memorable, experiential learning is 16x more effective than traditional methods.

The problem isn’t that employees are risky because they don’t care, it’s because they don’t understand the impact of their action/inaction. Experiential learning solves this, slideware and gimmicks don’t.

So, this October, don’t let NCSAM give you a false sense of security. Instead, use it as the launchpad for changing the security culture that everyone wants and will drive results instead of metrics.

Living Security Archives

Ashley Rose is co-founder and CEO at Living Security

Sponsored by Living Security

Experience a game-changing security culture.

Living Security co-founders Ashley and Drew Rose recognized that traditional security awareness programs were failing to move the needle and it was time for a fresh approach.

Our immersive training experiences engage the enterprise using science-backed techniques to motivate behavior change and refreshed content that’s relevant for the current threat landscape.

Our science-based approach drives user engagement and reinforces positive security behaviors across the enterprise.