You know the drill, its audit time, you’re scrambling to get all your ducks in a row, and then your HR department realizes that you’ve still got stragglers who haven’t completed their security training. Leaders have been emailed, reminders have been sent, and still, there are people who haven’t completed their training. You’re not alone, this is a common problem for many organizations. So what can you do about it?
The Problem with Compelled Training
Most companies and employees treat security training as a box that must be checked by a certain calendar date. As security professionals, this makes us want to bang our head against a wall. We know that the training is important, but the priority that takes in each person’s head is different. For some, it’s a a fire that should be extinguished immediately, for others, it’s a nuisance to be filtered out by email clients. For most, it’s somewhere in between.
Think back to when you were in grade-school. The times you can recall being excited for homework were few and far between. Not only did you dread having extra tasks piled on you that you didn’t ask for, you don’t even know why you have to do it. Whats the point? The same applies to security training for most employees. They know why they have to complete it, but do they really know why?
Finding Empathy in Security
The most compelling training, unfortunately, is the training some people get when they’ve had “information security” as a concept bleed into their personal lives.
A friend of mine called me up one day asking for guidance. Her friend had been the victim of one those “There’s a problem with your account and you should call this number, which is definitely Microsoft” scams. She felt stupid, ashamed, and violated. In fact, she was embarrassed for having her friend call me to ask for help.
Now in this case, everything worked out fine. She’d not given them any vital information, no private information was on her computer at the time, and her computer was able to be restored. She learned a lesson and was eager to warn others in her social circle using her experience as a cautionary tale.
Is that a success? I’d say so. She learned a lesson, and she was eager to share it with others. She was able to empathize with the victims of these scams and wanted to help them avoid the same fate. Suddenly, she was a security advocate.
Make Security Training Personal
The key to making security training effective is to make it personal, relatable, and shareable. If you can make it personal, you can make it relatable. If you can make it relatable, you can make it shareable. If you can make it shareable, you can make it stick.
Think about your employees and how they interact with the technology you’ve provided them. They all see those tools in different ways and use them in different ways. Some may see email as simply a chat session where as others use it to archive critical business documents. You may see a VPN as a way to access internal resources, but they may see it as a way to get around a firewall to access their favorite streaming service. To connect with your employees, you need to understand how they use the tools at their disposal.
Lets consider two cases where I’ve (rightly or wrongly) assumed you have a good ISMS or equivalent rolled out to your organization.
The developer
The developer sees the world in terms of code. The tools they have to do the work of building more tools has given them an experience of how to break things and fix them again. Asking developers to do security training is not a problem in understanding why, for them its a problem of interest. They have other work and more interesting challenges to solve.
To connect with the developer, connect the lessons in the training to those they can use personally. Perhaps they have side projects that they are working on and could use insight on how to apply security practices to a solo project. Perhaps they have a friend or family member who has been the victim of a scam or hack. Perhaps they have a favorite open source project that they could contribute to by adding security features.
The salesperson
The salesperson sees the world in terms of people and connections between them. For them, the technology we put in front of them is a means to that end and nothing more. Asking a salesman about applying security to their work is like asking a sprinter to please wear a weighted vest. It’s not going to help them do their job, and it’s going to slow them down.
To connect with the sales person, connect the lessons in the training to those they can weave into their pitch. Security is not a list of “do’s and don’ts” it is a commitment to quality in the services you provide your customers. Taking training isn’t a yearly reminder of what not to do, it’s a reminder of the trust your customers have put in you to keep them safe. And its a reminder that they can use to show their customers that they are committed to that trust.
Conclusion
Security training is a necessary part of life. You have an opportunity to make it a positive part of your employees lives and empower them as people first, employees second. It might sound cheesy, but those are the facts. If you can make security training personal, relatable, and shareable not only will you have checked all your GRC boxes, you’ll have a workforce that evangelizes on your behalf.