SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Six ways to transform your cybersecurity training and influence lasting change
Tue, 27th Sep 2022
FYI, this story is more than a year old

The importance of privacy and safety cannot be overstated in this digital age. So much of our business infrastructure relies upon digital technology. This makes the technology and the data it contains a constant target for hackers and other malicious actors. As a result, robust cybersecurity training is imperative for businesses that want to keep their insights, data, intellectual property, and additional proprietary information safe and secure.

For many, one of the answers to the problem has been cybersecurity awareness programs. The traditional approach is a mandated one-off training session where employees read information and answer questions, but as cybercrime costs global businesses trillions, IT and security experts are coming to the realization that they must refine how they train their workforce to effectively combat threats.

Traditional cybersecurity awareness can be impersonal and does little to engage the learner beyond being an employee at your company. If the goal is to win hearts and minds, formal awareness training can fall short and often doesn’t inspire people to care.

One of the problems is that many organisations provide awareness training to satisfy minimum compliance requirements, not to educate their employees. As a result, security and awareness programs don’t always lead to the result IT leadership expects.

To add to that frustration, employees often see IT security as a team to avoid; as enforcers when they need to be seen as educators. Meanwhile, scammers and hackers don't ever stop learning.

A strong security culture depends on ongoing education. With a continued investment in education, it's possible to build a transformative training program that influences lasting change. Here are 6 ways to help capture hearts and minds, engage your workforce and protect your organisation from a potentially damaging breach.

1. Awareness vs. Understanding

Being aware of risk doesn't automatically protect you from it. So, simply making your employees aware of risks doesn’t go far enough — it's causing panic and could lead to sloppy decision-making. Instead, you must ensure your employees can identify risks and either avoid them or understand how to mitigate any potential damage.

What's needed is an authentic, people-centred approach that includes a multi-year strategy that contains buy-in from stakeholders and communities across your entire enterprise. Target communities that are at greatest risk and give them the support they need.

Broaden your security efforts by expanding education throughout your organisation. Cybersecurity training is for everyone and should be incorporated into onboarding and annual review cycles. When you empower your non-IT security teams, you create allies that members of the security team can rely on to drive organisational initiatives and affect cultural change.

2. Don't be afraid to play

Using humour and fun to educate learners about a serious message is effective when done correctly. For example, rethink the staid workshop in favour of an escape room, develop fun educational videos produced in a social media style that could replace boring instructional ones, or use a gamified context to teach employees how to deal with security risks effectively.

Innovative experiential learning involving storytelling and roleplaying strategies can help you hit your metrics for success while encouraging ownership and accountability in an engaging way. A proactive security team can't be shy about adding a little humour to address a serious topic.

3. Focus on the learner

Scientific research is pretty clear on what people need to feel engaged in a learning experience: relevance, meaning, and emotion. Therefore, your training should focus on the learner as a person, not just as an employee within your organisation.

If your training is to inspire lasting change, people need to see themselves in the content, not just hooded hackers. Therefore, messaging and content must be diverse and inclusive. People also don't necessarily like being told what to do and how to act, but people like being helpful and proactive in protecting their teammates, friends, and loved ones.

So, ensure your training includes education about security matters relevant to their lives inside and outside work to drive home what's at risk and broaden the conversation.

4. Leverage technology and brain science

Structure training to maximise retention. Training should break down into short bursts of learning experienced through an engaging presentation of information, practice opportunities, and evaluation. Strategies, including practical examples, case studies, video scenarios, animation, narration, and interactive quizzes, can help maximise engagement and retention.

People are also responsive to semi-competitive social proof techniques. Allowing employees to compare their performance against their peers often influences them to do better if they are falling short.

Always keep in mind that technology can sometimes be a barrier as well. Work closely with your security team and stakeholders to ensure no tech limitations are holding back change.

5. Repeat, repeat, repeat

Humans do not have unlimited memory space, and when there is no active attempt to retain information, it is lost over time. In addition, people forget at different rates, so it's important to reinforce key messages frequently.

Giving employees the occasion to repeat courses or training, especially given the ever-changing nature of technology and threats from attackers, helps build solid skills and keep them strong.

6. Education vs. Punishment

IT security teams must be on the front lines, helping the rest of the organisation understand their part in changing the security culture. However, if other business units are nervous about approaching the security team, it may pose a challenge to security assurance.

Make sure your security team is comfortable with being an enabler, leads with empathy, and reflects well on your entire security program. If your team lacks these human-centric skills, you might want to provide coaching to help them learn.