Have you struggled to establish a security training environment within your organization? Or explaining the “whys” to those in senior leadership to gain traction and support for implementing your vision? This is a common problem for companies of all sizes and ages and may be easier to solve than you think. This series will break down how to design, develop, and deliver effective training to your organization.
 
While maturing your governance and compliance environment you have likely encountered the need for designing and scheduling security training for team members across all levels of the organization. This includes entry-level employees, management, and executive staff. These training programs are generally designed to meet objectives established by the information security framework adopted by your organization or compliance standards imposed by various agencies within your industry.
 
Examples of such standards and frameworks which require established security training programs include PCI DSS, ISO 27001, and GDPR, to name a few. Below are a few examples of requirements and objectives for any organization pursuing compliance or certification.

Why is Security Awareness Training Important?

As stated, many standards mandate security awareness training and at a minimum, you should design your security programs to meet objectives set forth by industry governing bodies. Failure to meet these objectives can result in non-conformities with industry standards, failing audits, and impacting business success by failing to get necessary certifications for operation in those industries.
 
Examples of security awareness training which aims to appease auditors and pass compliance objectives are:
  • PowerPoint slide decks with an accompanying Excel roster which gets passed around from department to department, rarely getting updated, with employees never being tested on competency.
  • Annual signature updates on security awareness documentation which is stored deep within the human resources files and is quickly refiled after signing, not to be seen again until the next compliance cycle.
  • A short message communicated during an annual company training, again with no assessment on comprehension and rarely updated.
While the above may serve as a minimally viable solution for meeting industry standards and passing compliance obligations, your organization should not stop there. These processes may “check the box” during the organization’s annual audit, but it leaves much to be desired in an environment designed by a mature, security-focused, and forward-thinking organization.
 
Mature and successful organizations understand that having a mature security awareness environment in place can improve the business on multiple fronts, such as reducing loss and improving response efficiencies of the information security team to name a few. Other areas which may experience benefit from a fully realized security program are as follows:
  • Reduce losses caused by malware Each year organizations globally lose thousands of hours of productivity in combating malware infections which could have been prevented by following established behaviors.
  • Reduce losses caused by phishing Successful phishing attempts can cause great losses to organizations but gaining access to sensitive information, accessing credentials of key employees, and causing damage to the public image.
  • Increase operational efficiencies Trained employees can identify and communicate errors in system operation to those tasked with resolving them.
Now that we have addressed the “whys” associated with implementing a serviceable security program, our next installment of this series will begin to focus on the “hows.” Subscribe to receive updates where you will learn how to complete the design process for your program.