Security awareness training has made great strides in terms of recognition and adoption over the past decade. As such, it might seem odd for us to dedicate a blog to defining this term. But our goal isn’t to define security awareness training at a basic level. Rather, it’s to encourage you to think beyond the basics. And part of that is considering how you define security awareness training for those who will determine the success of your program: your end users.
Don’t Be Basic
Many cybersecurity professionals have a relatively narrow focus on what security awareness training means for their organizations. It’s understandable, especially since the infosec industry generally has a fairly narrow definition of it as well. Here’s an example from TechTarget’s WhatIs.com:
Security awareness training is a formal process for educating employees about computer security.
A good security awareness program should educate employees about corporate policies and procedures for working with information technology (IT). Employees should receive information about who to contact if they discover a security threat and be taught that data is a valuable corporate asset.
What, you might wonder, is wrong with this definition? It is, you might argue, fairly broad. And you’d be correct—to a degree. “Corporate policies and procedures” is certainly an expansive, chameleon-like subject. And the wide-ranging definition of “data” (and its value) can’t be argued. But when security awareness training is strictly framed within the boundaries of an organization’s rules and mission, the focus is too narrow.
The point here is that good security awareness training doesn’t start and end with corporate mandates: it starts with encouragement and empowerment and, above all, personal connection. It’s not just about work. Data is valuable. Period. Good cyber hygiene improves data and device security. Period. Cybersecurity skills are portable, and better behaviors benefit people. Period.
Adopt a People-Centric Mindset
At Proofpoint, we emphasize the need for a people-centric approach to cybersecurity. Much of that is because cybercriminals are most certainly focusing on people—workers and consumers alike. Organizations that do not factor users into their security strategies miss opportunities to defend themselves at the very points that attackers are targeting (and successfully compromising).
Take a people-centric approach to security awareness training by remembering these three R’s:
- Recognition – Acknowledge that users are stakeholders in your program and that their success is your success. Don’t simply treat employees as part of the problem. Recognize that they can be an effective part of the solution.
- Relevance – Choose an approach that engages users. It’s not just about making employees aware that threats exist. Users should clearly understand how cybersecurity skills benefit them on a personal level, and how they can apply new skills at work and at home.
- Reinforcement – Don’t expect your users to turn into experts immediately. Learning happens over time and with practice. To achieve behavior change, you need to reinforce key topics through regular awareness and training activities.
We can help you build an effective, engaging program that benefits your people and your organization. Let us help you broaden your definition of security awareness training today.