The concept of cybersecurity education and awareness has taken on new significance within enterprises in recent years as more and more organizations have sought to implement effective training programs to better prepare their workforces for today’s constantly evolving cybersecurity challenges, risks and threats.
Lisa Plaggemier is chief strategy officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education. In her role, she drives development of the company’s award-winning course offerings to prepare modern organizations for modern privacy and cybersecurity challenges.
A prominent security influencer and regular event speaker, Plaggemier is passionate about using her experience to fuel an innovative approach to training that engages learners and impacts behavior.
Infosecurity spoke to Plaggmemier to learn more about the importance of effective cybersecurity awareness efforts, the key elements of successful training programs and what the future might have in store for security education in organizations.
How important is it for organizations to implement effective, regular information security training?
Hardly a day goes by when there isn’t news of another data breach. While we’ve gotten fatigued hearing about them, they still cost organizations millions in disruption to their business, remediation and brand damage. An effective training program is an essential part of any security program.
What are the key elements of successful security training programs?
First, understand your environment, including:
- Applicable regulations and contractual obligations around training
- Employees’ current knowledge, attitudes and beliefs about security through a survey and/or a pre-test or some sort of assessment
- What your biggest risks are
- What are you protecting – people, data, IP, etc.
- Company culture and demographics
Next, align your training content based on the results of what you learned above. In other words, if data is your greatest asset and you learned your employees don’t understand much about data regulations, safe data handling, data destruction, etc., then choose training content that covers those topics well. It also needs be to engaging and fit your culture, so if you’re training a young, highly technical audience, for example, gamification or animated content might be effective.
Finally, look for ways to judge the efficacy of the training beyond just training completion numbers. Gather baseline metrics that speak to your training goals, and look for improvement. For instance, if one of your goals is to increase incident reporting, that’s what you need to track and report on.
What’s your advice for helping organizations to track program effectiveness?
Go beyond phishing and training metrics. Look for meaningful metrics that impact the business, like the time your IT help desk spends reimaging laptops due to malware infections. That translates into time and cost savings. Partner with the business, understand the risks and pain points, and measure your progress on effecting those. You can also measure engagement from employees. Consider all the other ‘touch points’ you have with employees beyond training modules; things like content on an employee portal, email newsletters, etc. Are people reading your newsletter, or spending time on your security portal? Track engagement metrics.
What do you think the future will have in store for information security training?
I think it’s going to get more personalized, more actionable and more engaging. We can’t assume that people are inherently interested in this stuff like we are in the security field. In general, people choose convenience over security, and we tend to do better training when we accept that truth as our starting point. I think we’re getting better as an industry at doing that, but we still have room to improve.