I've conducted an initial security awareness training session for my organization. Now I'd like to implement follow-on training. What should we focus on? I'd like to cover the most important topics without being so basic that the users get bored and avoid being so technical that the users don't understand.
While both basic and more advanced information in a security awareness training program is certainly helpful, information security needs to be embedded into a company's corporate culture to be effective.
Keep in mind, security is not the reason staff come to work. They are there to meet company obligations and to meet corporate objectives. Yet, a well-planned information security awareness program can help achieve the proper level of attention to meet this goal.
There are laws and regulations today that require a formal security awareness program such as HIPAA, the Gramm-Leach-Bliley Act, PCI DSS and SOX. This awareness program should start with new-hire orientation training and annual security training required by these mandates. The program can entail classroom training sessions, periodic emails, posters, online videos, contests and possibly occasional visiting security luminaries. A quarterly newsletter with articles on security topics, which includes security-related crossword puzzles, can also be used. There are numerous free resources available on the Web, such as NIST's OUCH! Security Awareness Newsletter. NIST also has a security awareness training program (NIST Special Publication 800-50), as does Symantec.
In my previous employment as a CISO, I held a contest for naming a mascot for the information security program. I asked the marketing department to design a cartoon character dressed as Sherlock Holmes and I sent out the contest rules. After receiving numerous naming entries, I asked our CEO to pick the winning entry. The winner received a new iPod and was announced in the corporate intranet with a picture.
This accomplished several things. One was participation from company staff, which allowed it to become a water cooler discussion that increased security awareness. By having the CEO pick the winner, it sent a message to the entire corporation that information security was a serious yet fun topic clearly supported by upper management. This tone from the top made subsequent awareness efforts easier.
Topics that can be covered in the course of follow-on trainings regarding security awareness beyond those mandated by compliance guidelines include, but are not limited to, password controls, phishing, description of key laws and regulations, hacktivism, proper phone etiquette and security, clean desk policy, physical security, mobile device security, encryption, and the list goes on. Keep the messages simple, colorful, crisp but current and pertinent.
The security awareness training program does not have to be burdensome or ad nauseam. It can be fun, creative and inexpensive in ways that would be anticipated and educational. Finally, all of these approaches should be done in moderation. Whatever methods used, they need to be consistent.
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Find out if third-party security awareness training programs are effective.