Transforming an organizations security culture remains the greatest hurdle for businesses as complex data breaches become the norm.
What can we do to enable people and reduce risk over time? Security awareness training is often seen as another to-do during a busy day or a punishment for employees who click on bad links. “Just-in-time” security training can certainly help the individual, but what message is being sent to that employee? It’s time to start enabling the workplace instead of disabling the capabilities of individuals.
Can “Just-in-time” Training Help?
One answer that I am seeing and hearing more about is “just-in-time” training (or just-in-time learning). There are many benefits of just-in-time learning, such as how it enhances worker productivity and speeds up the learning process.
Taking the “just-in-time” concept further, several companies are advocating the use of these techniques for enterprise security awareness training. The general concept that I am seeing is to provide a very basic compliance-focused training for the majority of people, and to enforce much more specific training for the select few who they identify as needing it most, since they violate some security policy, and/or do something inappropriate, such as clicking on a simulated phishing link.
Some companies offer related “education triggers” or “teachable moments” that are targeted at those who violate security policy or need the training the most because they do something wrong. These approaches claim to identify, focus training, (and where necessary) get rid of the bad apples and focus on those in the organization who (despite being non-malicious) pose the greatest risk.
Several security leaders I have spoken to were (at least initially) attracted to this approach, since it cuts down on employee time required for security awareness training for the masses. I have heard the argument, “If I can focus on a select few troublemakers, and minimize the training for 98% of the employees, I can save time and money.”
Who can argue with the concept of learning just what you need to know at the exact right moment?
Do We Need Just-in-Time Security Training?
We need to offer compelling content that is intriguing and teaches people what they don’t already know about security in sticky ways, in order to change behaviors and motivate people. Content is still king. I also believe that brief, frequent and focused content works best with gamification or game-based learning. I have even suggested that we need to make security awareness training more about culture change with a potential name change.
While I do think that “just-in-time” security training may be able to help select organizations in a very limited context (as a supplemental approach), I have a more fundamental concern with this trend, if it is front and center.
I worry that organizations that deploy this approach are making security training a penalty. In the extreme, security organizations can even send the message: “Only the ‘bad’ people (the policy violators, those who click on test phish or others who do something wrong), need go to security awareness training. The implied carrot becomes not having to take the security training.
Over months and years, a culture could develop where security awareness training is a punishment for the select few. Like being sent to detention at school or writing phrases on the chalk board multiple times. The message to staff: you don’t want to be one of “those people” who need security awareness training. With memories of ridicule in elementary school, the majority of staff have the goal of “not screwing up or not getting caught.”
Beyond views of the awareness training, the security team’s reputation can suffer. In this type of enterprise culture, the security team members are the bad guys — or “Dr. No” who might pull you over or get you fired.
In a healthy security culture, all front-line staff are proactively well trained on information and physical security, know what to do (and not do), where to report incidents, when to ask for help, who to contact and how to work together effectively. Staff have a good relationship with the security team because the cyber professionals are helpful. There is not an “us vs. them” problem.
The meaningful, customized security content is constantly updated in positive ways to meet the culture. Understanding risk (by all) in various scenarios is an important component of this overall security relationship. The security awareness training is a positive bridge to start meaningful conversations to enhance business projects, integrate streamlined processes and apply appropriate technology.
Security Must Rise to the Top
I recognize that some in the security industry will disagree with me, but I hope we can agree on this: we need to be passionately building (or rebuilding) enterprise cultures that put security at the top of the priority list. We need innovative companies and government organizations that have healthy cybersecurity practices. The security teams must be enablers of positive change. I often hear staff say, “Teach me things I don’t already know.”
No doubt, fear must occasionally be a part of the training menu, but it must be an appetizer and not the main course. Yes, there are bad apples in organizations that need to be disciplined or removed, but spend more time with the good apples.
Just as model parents and teachers train their children by demonstrating, encouraging, motivating and challenging in fun, positive ways, much more than disciplining them, we must do the same to build healthy security cultures that endure. We want the staff to say, “thank you!” They will, if we offer helpful security lessons that are intriguing, thoughtful and memorable. Please don’t make end-user security awareness training a punishment for doing something wrong.