Sadly, it seems that virtually every company faces cybersecurity threats these days. Unfortunately, no matter how strong a firm’s technical tools and infrastructure are, its employees are often the weakest link. Human susceptibility is why attack methods like phishing continue to present significant challenges.
Security awareness training is critical to reducing human risk in cybersecurity. However, too many security training programs fall short from ensuring a top-notch cyber defense posture. From flawed motivation to improper structure, security training currently has several issues, in scrappy early-stage startups and established enterprises alike. Clearly, it’s time for a fresh take.
Despite company founders being aware of the need for top-notch cybersecurity training, the following three flaws persist, hampering their efforts to enhance company security.
- Highly technical language that kills accessibility
Generally, enterprise-grade security awareness training is conducted by a company’s security team or CISO. Often, however, insufficient thought is given to the program’s structure. Typically, a security team member delivers a lecture or presentation about common threats, explains what to watch out for, and so on.
The language presented in such situations is highly technical. For instance, even basic security terms like “phishing” or “DDOS attack” are incomprehensible to most non-technical employees. After all, these terms are not a part of everyday language.
One solution is to translate these security-specific terms better. For instance, instead of using a word like phishing, security teams can say “malicious email” or “dangerous emails.” When presented in such a context, employees are less likely to think of a fish when a team member talks about compromised credentials and system breaches.
Security teams might argue that technical language is unavoidable. This is true. However, they must avoid using language that is so technical that it alienates non-technical employees, unnecessarily steepening learning curves. These employees will think of security awareness as an “IT thing” instead of assuming responsibility for security.
Technical language also enhances a person’s feelings of inadequacy and leads to a lack of confidence. The result is more security review requests sent to cybersecurity teams that are already overloaded with work. While a small company’s team could get away with such a posture, an enterprise team cannot.
Customization is the need of the hour. Every employee must receive personalized training that suits their technical knowledge and abilities. For instance, a developer should not receive the same type of training as an employee who doesn’t understand how to clear their cache.
These customized programs might seem non-scalable, but thanks to innovative training and education platforms, enterprises can gamify training and achieve their security goals.
- Optimizing for compliance instead of better security
Given cybersecurity’s central position in product workflows, companies have started coming to terms with the security regulations they must comply with. While enforcing compliance is a great initiative, it has unfortunately led to skewed incentives.
The financial penalties for violating compliance occupy much of a company’s focus, instead of the need to educate employees and actually reduce security risks. In essence, companies are motivated by the stick and not the carrot.
As a result, security awareness training programs at most enterprises are a box to be checked. Everyone huddles for a few hours, executes a few exercises, and promptly forgets what they learned in a few days. Essentially, these companies focus only on meeting regulatory compliance needs and end up not paying attention to the damage they’re creating.
Ashley Rose, CEO and cofounder of Living Security, believes the average company’s training program goes against the way most people learn. “Having team members sit through hours of workshops — and then expecting them to retain the information and apply it at the right time — is an unrealistic task and doesn’t take into account the way people best learn,” she writes. “We all forget things, and cybercriminals are always developing new techniques.”
Rose recommends enterprises focus on delivering training in bite-sized courses with follow-up quizzes to reinforce concepts. She notes that reinforcement plays a critical role in learning. “Employees should also be engaged with new content regularly so they are continuously learning about new threats and frequently reminded to stay vigilant,” she adds.
Bad incentives and wrong focus lead to infrequent training sessions and a general lack of engagement. Both outcomes only harm a company’s cybersecurity posture, the opposite of a company’s security goals.
- Measuring progress via misguided metrics
Speaking of goals, most companies measure the wrong metrics when calculating the effectiveness of their security training. To present a compliant picture, companies track attendance percentages and minimum event frequencies.
However, enterprises must focus on reducing breach frequencies as the ultimate measure of effectiveness. The only way forward is to reorient training focus away from leaving a single person in charge of training to building a culture of security where everyone is in charge.
Lena Smart, Chief Security and Information Officer at MongoDB, explains that most teams have different levels of security experience among their members. Empowering the more experienced ones irrespective of their technical ability is the key to building a responsible security culture.
Smart explains how she employs this approach at MongoDB in a recent interview with McKinsey. “We’ve found that there is a lot of collaboration among all different levels of expertise,” she asserts. “This is creating a culture with security at the forefront. The champions are basically the voices of their team for security.”
This approach automatically reduces the number of security breaches – the real metric companies must track when measuring training effectiveness. It also helps them move away from the compliance-focused nature of most training programs.
Security training needs a revamp
Security training has come a long way over the past decade, but companies still have a lot of work to do. By reorienting training objectives away from compliance, changing training languages, and ditching vanity metrics, enterprises can fortify their security posture and meet compliance needs easily.