Larry Cates: What CSOs need to know to look for in a security awareness training program
Global Learning Systems LLC (GLS), is an award-winning enterprise training solutions provider, with over 25 years of experience offering web-based training, outsourcing and support, custom development and IT solutions that help federal agencies and commercial organizations develop their human capital resources and meet their business challenges through integrated learning and technology solutions. Focus areas include: Security and Compliance Training, Customized eLearning, and OnDemand LMS to enable enterprise-wide Learning & Development Solutions.
Rake Narang: Why is Security Awareness Training important? What are some key elements to look for in a Security Awareness Training program?
Larry Cates: Recent studies find that negligent insiders continue to be a top information security threat within the organization, and it is the responsibility of the organization to properly educate their employees on security best practices and vulnerabilities in order to raise security awareness and ultimately change employee behavior. Without an effective Security Awareness Training Program, individuals will not know how to properly recognize, react to and report a cyber attack, putting both the individual’s and the organization’s information at risk.
When considering a program, there are certain elements to consider. Learning is not a one-time event, and therefore you need to provide continuous learning in order to actively engage your audience. Your program should consider options that provide multiple touch points in your campaign: general awareness courses, role-based courses, topical videos, security newsletters, themed posters and email campaigns. Such materials should focus on bringing awareness to key topics and threats including: phishing, mobile security, passwords, etc. Furthermore, you want this integrated training solution to afford the learner 24/7 access, globally. Using an OnDemand Portal strategy, users are presented with the resources for continuous learning and are able to “pull” from them as needed.
Finally, make sure the course is interactive and engaging with real-life scenarios throughout. You want your employees to understand the importance of individual responsibility and the role they play when it comes to organizational security. Always remember, a secure organization depends on employee security awareness.
About Larry Cates
Larry Cates is the President and CEO of the Bancroft Technology Group (Global Learning Systems & KeyStone Learning Systems). He has been developing security and compliance training solutions for over ten years for US and international-based clients in the corporate and federal government sectors.
He has led the GLS team to design training solutions addressing critical client security concerns that help prevent and avoid security breaches as a result of appropriate employee behavior. GLS’s innovative approach to changing employee behavior and awareness of new and ongoing threats has enabled the company to become a leader in compliance and custom learning solutions.
Rake Narang: What are some of the most common but critical mistakes still happening in security awareness training programs?
Larry Cates: The absence of relevant and scenario-based training to engage the user is a critical misstep in conducting an effective program. Another critical mistake in programs that we see is the lack of focus on individual responsibility with no follow-up communication. The learners need to understand their role in organizational security, and if the course content simply focuses on standard definitions rather than practical examples, the learner will lose attention. The course should incorporate knowledge checks, activities, or quizzes to ensure learner retention.
In addition, the lack of leadership or senior management support within the organization will hinder a program’s effectiveness since the general audience does not receive security awareness as a key business priority.
There also needs to be various touch points. Yes, simply meeting compliance with an annual course can help, but a program should include other channels of communication. I recommend security newsletters, posters to raise awareness, and refresher courses as a start. This gives an organization multiple channels to reach learners and communicate the importance of security-minded behavior.
Finally, companies that do not measure and assess their ROI for their programs on an annual basis find that they are unable to effectively build and develop training and awareness programs that change employee behavior and facilitate culture change throughout the organization.
Rake Narang: What new trends are you seeing in Information Security Awareness?
Larry Cates: Information Security Awareness trends include more interactive courses to engage learners. This interaction can include real-life scenarios with an option for the learner to choose what the person in that example should do in the provided situation. With some topics, gaming is a great way to engage learners and educate them on security best practices. For example, phishing is a main information security threat across all industries, and simulated attacks combined with an eLearning game can be a very effective way to reach learners.
Rake Narang: What do you think CSOs should focus on in terms of security awareness?
Larry Cates: In regards to security awareness, CSOs should consider developing or utilizing a flexible, yet comprehensive security awareness program that is interactive, focuses on key topics and threats, can be easily customized and offers various touch points throughout a given year. They should also find a program that can be delivered 24/7, globally so their employees can learn whenever and wherever their schedule allows.
Focus areas should include general security awareness, role-based courses for IT staff, phishing simulations, mobile security (especially with BYOD prevalence), and appropriate compliance for your organization (PCI, HIPAA, Privacy Act, and more).
Specific course topics should focus on individual responsibility and include: phishing, mobile security, passwords, identity theft, social engineering, portable devices, data security, network security and physical security.
In conclusion, customization should also be a focus to integrate the training with the branding and environment of the organization. It communicates that this is something integral to your culture, and allows for the ability to add specific policies and procedures that are unique to the organization.
Company: Global Learning Systems
6030 Daybreak Circle, STE A150, #116 Clarksville, MD 21029-1642 USA
Founded in: 1983 CEO: Larry Cates Public or Private: Private Head Office in Country: Washington D.C. Metro Area United States Products and Services: Security Awareness Training, Custom eLearning Solutions, Compliance Training, Learning Management System, IT Training, Anti-Phishing & Social Engineering Training Solutions Company’s Goals: Continue to provide industry thought leadership in the design, development and implementation of innovative and interactive Security & Compliance training and awareness programs that engage users and change employee behavior. Key Words Related to your Company: Security Awareness Training, Information Security Awareness Training, Compliance Training, Custom eLearning, OnDemand LMS
JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN