Skip to main content

A Winning Information Security Awareness Program | Optiv

January 05, 2013

If you work with credit cards, personal identity information or other confidential information, chances are you are required by law to provide your employees with security awareness training.

There is a little doubt that education and training can improve your company’s security culture, but how you deliver that training to your employees can transform it from an afterthought that is forgotten in a week, to an initiative that has real and lasting change in your organization.

Turning Your Employees into Security Multipliers

Everyone in information security wishes employees would stop making what they consider “silly” mistakes. With the right security program and training, you can turn your employees from security liabilities to security multipliers. An educated employee who can avoid phishing emails or viruses allows IT and information security teams to focus on the big picture instead of constantly fighting a series of small battles.

Why doesn’t all security awareness training have this effect? Most training suffers from neglect. The training is thought of as a burden. Something that has to be done but that can be taken care of at the last minute.

The problem is that no single security awareness training session will completely change your company culture on its own. Sure, a great security awareness course that uses hands-on exercises, real-life scenarios to train people in skills they are going to use every day and gets your employees talking about security is a thousand times more effective than a boring PowerPoint presentation or throwing information at them. However, while it may meet compliance guidelines, a one-time training effort session is not enough to change your security culture.

West Point completed a study on using a phishing education program to combat phishing. The study found that right after the program was completed they saw dramatically lower rates of people fall victim to attacks. However, as time passed cadets quickly forgot the lesson as they went about their daily actives such as classroom work, exercise or an instructor screaming in their faces about pushups. It was only by reinforcing those concepts over time with further training and reminders that cadets again remembered how to effectively stop attacks on a consistent basis.

Make a Security Awareness Program Your New Year’s IT Resolution

Since it’s the New Year and the time for resolutions, make this year the year you turn your security awareness training into an effective security awareness program. Here are some guidelines that can help you make the change:

  • Develop a year-long rollout schedule. The key to a program that makes real change is to develop a schedule that takes place throughout the year, not just once. Your goal is to keep security in the front of your employee’ minds.
  • Choose a solid eLearning base. Pick a security awareness course that avoids rote learning, engages your employees and provides hands-on training. Employees will remember a course that creates an emotional connection with them, not a dull, lecture-based class. Roll out the course in sections throughout the year to continually train your employees.
  • Reinforce your main eLearning message. As you deliver training throughout the year, don’t let it simply work on its own. You can take easy (and free) steps that remind people about security. Small weekly tips via email, information about companies who have been hacked, newsletters about security or awards to those with secure work areas will all go a long way to keep people aware.
  • Obtain buy-in from senior leadership and department heads. If other leaders know about your plan and how it will positively affect their department, they will help you make sure everyone completes the required training.

Keeping Your Resolution

We all know that while it’s easy to make a resolution, it’s a lot harder to keep them. You can make sure you follow through and achieve your goal by enlisting a support team.

Start by sharing the responsibility with several other people in your department. Head up the program, but don’t try to support it completely on your own. Put yourself in charge of administration, another coworker in charge of queuing up the next eLearning course and sending reminders, and a third in charge of sending out the weekly security tip. By making other people part of the team you can ensure that the program doesn’t dissolve or fall apart.

Now go forth and make 2013 the year when you change your company’s security culture!

Related Blogs

February 19, 2015

Improving Patch Management, A Measured Approach

Organizations face a daily barrage of new vulnerabilities identified in a host of applications and operating systems. Through the deployment of a soft...

See Details

March 16, 2015

Create a Budget-Friendly Virtual Private Server with a Metasploit Instance

Whether a requirement for anonymity arises during a penetration test or simply to stand up another Metasploit instance, we can do so easily with VPS p...

See Details

March 19, 2013

Webinar Recap: Rethinking Web Security

FishNet Security and McAfee delivered a successful webinar focused on industry trends and insights for 2013 enterprise level web security best practic...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

August 16, 2019

Security Awareness Training Brief

Learn how to leverage the latest thinking in cognitive science to improve training.

See Details

October 02, 2012

Retail Industry Information Security Trends | Optiv

As it has been the last several years, security in retail is primarily driven by the need to be PCI compliant. Secondary security drivers are privacy ...

See Details

May 23, 2013

Healthcare Information Security in 2013

This year will be a major milestone for information security in the healthcare industry. The Department of Health and Human Services (HHS) Office of C...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.