 |
| These are the good guys |
Why do organizations require training? Is it because the organization is required to do it? What is the training for - is it to change people's behavior in order to achieve a specific outcome, or is it just so you can say "I told them not to do that" when something bad happens. Even worse, is it just to tell your regulators that you checked the training box?
Cybersecurity awareness training may be the worst of the lot. Students are expected to digest a mind-numbing array of concepts, policies, regulations and best practices, from dumpster diving to asymmetric encryption. At the end, there's a "knowledge check" to prove they can regurgitate sections of the security policy on demand.
All the cybersecurity training I've ever seen consisted of citing a dozen legal statutes, then going through phishing, encryption, privacy, password best practices, social engineering, acceptable personal use, permitted devices, appropriate websites, email etiquette, and more. It's not working.
- It's too much data for a human to assimilate in an hour.
- There aren't any real-world examples of how your organization is affected.
- The student will tune out anything she doesn't feel is relevant to her situation.
- You don't have any way of determining whether or not the training was successful.
- Actually, that's not true - you have the dreaded mandatory survey at the end of the session.
You're missing a rare opportunity by not putting enough thought into mandatory training. Mandatory training is a shared experience and you have everyone's attention for an hour or two. This makes it a unique chance to change the culture of your organization and boost morale by creating a positive experience. Done right, training can help everyone be better at their job, and yet this opportunity is often squandered because it lacks forethought and clear, measurable goals.
 |
| This is the bad guy. |
Instead of trying to get your colleagues to memorize cyberlaw, what would happen if you asked HR and your incident response team to tell you the three bad behaviors they most want to eliminate from your organization. Agree on three things that happen in your shop that you'd like to eliminate once and for all. Get examples of the behavior, and how it impacted you. Most important, get numbers - how many times did it happen last year. Focus your entire training on those three things.
For example, if plugging in personal USB drives has caused data exfiltration or virus infections, then quantify it, and train people not to do it. Provide case studies that show how USB drives have impacted the organization. Try to make the training fun or at least engaging. Forget the quiz results - if the training worked, you'll see a measurable drop in USB-related incidents. If you don't, you need to tweak your training.
By taking an incremental, focused approach, you can use your training program to inspire your team to do better work, and help your organization avoid risks. If the training is created with wit and creativity, it might even boost morale.
It's time to train the trainers.
No comments:
Post a Comment