According to Brent Johnson, CISO at BlueFin, cybersecurity training is more relevant than ever. That's because employee retention is hitting record-setting lows in the wake of the Great Resignation. With so much turnover at many small to medium-sized businesses, security training is often getting left behind in the scramble.
At CG Silvers Consulting, we know a thing or two about getting a new cybersecurity training program off the ground. In fact, we help businesses with their internal security awareness trainings all the time.
Ready to get started yourself? Let's walk through the three key components of a great, low-cost, highly effective security training program.
1. Leadership buy-in
As Johnson said in his recent interview with Help Net Security:
Cybersecurity and associated training programs should be ingrained within corporate policies and allocated the budget required to succeed – without investment from leadership, good intentions for enhancing cybersecurity training may never be translated into action.
We couldn't agree more. If company leadership doesn't openly prioritize security training, no one else at the company will.
Leadership support for training can come in many different forms. Consider implementing any (or all!) of the following:
Onboarding documents. When new employees are onboarded, the materials they see in their first few days shapes their perception of the company's priorities. If "set up direct deposit for your paycheck" is listed right next to "complete security awareness training" in their onboarding checklist, new employees will understand just how important this training is to their work at the company.
Participation. Sometimes, company leadership skips out on so-called "mandatory" activities. There can be good reasons in some cases, but executives should understand the message they convey if they say something is important and then don't participate. The leadership team should always participate in security training using the same process as everyone else to lead by example. And hey, you might even learn something!
Vocal support. All hands meetings, company-wide emails, and even the lunch table are great forums for launching new initiatives. Don't let the security team be the only ones talking about security awareness training. If executives make a point to casually discuss the company's training program, everyone else will understand how ingrained security is into the company culture.
It's hard to set company culture, but a strong, coordinated effort from the leadership team can go a long way. Buy-in from the top filters all the way down to new employees.
2. Clear, simple instructions
We all know that when we're asked to do something we don't want to do, any little obstacle can become the excuse to opt out. Maybe that pan on the stove is still just a little too hot to wash, or it's cold outside so the mail can wait until another day.
The same principle applies to required trainings in the workplace. So your job is to remove any potential obstacles that would get in your team's way.
A great security program is accompanied by documentation that contains:
Short, clear instructions for what to do, formatted as steps or bullet points
Links to any materials employees will need to complete the program
Deadlines for completing the program
Want to see a great example of clear, simple instructions? Check out this blog post to read how one enterprising product development manager took on the task of creating her company's first formal security training program. There's even a free template you can download to get started yourself!
3. Relevant materials
In his interview with Help Net Security, Johnson emphasized the importance of relevant training materials: " I’ve found that employees are more apt to remain engaged and ask questions if the subject matter is current and relevant."
For small businesses employing younger professionals, this feature of your security program becomes even more important. Unlike the professionals of previous decades, the employees entering the workforce in the past 5-10 years have grown up in the era of the Internet. They know what phishing is, and they've gotten their fair share of scam emails in their lifetime.
If the information or scenarios included in your security training program sounds like news from their grandparents, your younger employees will assume the rest of the recommendations and policies about security are equally irrelevant to them.
Don't worry! You don't have to be an expert in the latest security threats. You just need to choose a security training program that regularly refreshes the scenarios over time as new threats arise.
We recommend checking the materials in your chosen security training program every year to ensure they've been updated. Whether you put it together yourself, contract with a consultant, or purchase training software, keep an eye out for relevance.
(And you can always join the CG Silvers Consulting mailing list to stay up to date with the latest threats!)
We understand that security training is just one of the things that small businesses have to think about when onboarding new team members. There's even more pressure on onboarding now with high turnover rates across all industries. But don't let that get in your way! Security training is just as important as ever, so use the considerations above to guide you.
And don't forget that CG Silvers Consulting is here to help if you want a little extra support with your security awareness training program.