The Challenge of Delivering Security Awareness

May 27th, 2016   /     /   security and compliance

In this post-Heartbleed world, personnel are more aware than ever of the threats facing anyone that ventures “into the cloud” or pretty much touches anything digital with an Internet connection. So your employees must be eager to sit through some security awareness training, right? Wrong.

Unfortunately, our fast paced world also drives our need to complete tasks; close that ticket, merge that code, zero out the inbox, flag for follow up, create a task for the activity you just completed just so you can mark it complete.

It’s difficult to slow down for any kind of training, especially during business hours when you are slaying task lists and climbing Mount Inbox with the One Ring around your neck. There is also the aspect of some end users having a false sense of confidence, e.g., “I wouldn’t fall for those Nigerian Prince phishing scams!”

Well, the Nigerian Princes are close to retirement, and have mostly been replaced by more sophisticated phishing attacks. If you are of the mind that the loss of millions of dollars or millions of records are suitable key performance indicators, then you will agree with me that there is still room for us to collectively improve our security awareness. So what can you do about it?

Here at OneLogin we are piggybacking, no pun intended, on our annual security awareness training to kick off a few initiatives:

Streamline content

We took a very close look at all the content and made sure there was zero redundancy with other trainings already in place. One way to make training more digestible is to simply have less piled on the plate at each sitting. We went from Cheesecake Factory plate density to French bistro lunch special density.

Spread the delivery

We are leveraging a company Learning & Development initiative to deliver topics throughout the year and more interspersed with other content. This way we can reinforce higher risk topics, e.g., passphrases>passwords and use the existing L & D momentum for the sake of security awareness. Making content more digestible is one thing, but without retention, that tasty hanger steak with pomme frites will not linger long in your mind.

Try something outside the box

We are working with a local company, Apozy, to help reinforce key topics. The beauty of their product is that it provides easy to digest lessons tailored to each of your end users’ cybersecurity knowledge. For example, if Bob in Accounting really knows how to spot physical security risks and Alice in Sales has a black belt in phishing detection, they will each get lessons focused on the areas that they need to reinforce, not ones they already have a good grasp on. This helps with keeping them engaged by showing them that the topics covered are personalized to them and challenging them to improve their knowledge, thus improving retention. As an added bonus, we will be able to see across the company what areas need improvement, thereby allowing us to focus future training efforts strategically, which comes back full circle to the idea of streamlining content.

There is no guarantee of success, but the times demand security awareness be part of every company’s control environment and for it to be successful (read: digestion and retention), you need to really invest in it and constantly tweak your approach. In the end, your employees might not thank you for it, but minimizing the amount of successful cybersecurity attacks is thanks enough.

About the Author

Alvaro Hoyos is OneLogin’s Chief Information Security Officer and is tasked with architecting and leading the company’s risk management, security, and compliance efforts. Alvaro also works with prospects, customers, and vendors to help them understand OneLogin’s Security, Confidentiality, Availability, and Privacy posture and how it works alongside, or in support of, customer’s own risk management strategy. He has worked over 15 years in the IT sector and prior to joining OneLogin, spent 8 years working with startups, SMBs, and Fortune 500 companies with their security, compliance, and data privacy efforts.

View all posts by Alvaro Hoyos