Embracing Culture to Increase Security Training Saturation

Share with your network!

Earlier this week Rashmi Knowles, Chief Security Architect for RSA, the security division of EMC wrote a blog post about Culture vs. User Training and posed a question asking how global organizations could acquire and maintain a consistent level of security training.

I thought I’d point our readers to this thought-provoking article and also provide my own commentary on the topic.

I needed to put on my internal communications hat to provide a response to this question. Really, global organizations are made up of groupings of mini-cultures that are sometimes based upon the culture of previous companies (as in the case of acquisitions) or dependent upon the geographic location. This can make effective awareness campaigns a real challenge because security officers need to accept that one size doesn’t necessarily fit all, and the motivation to complete training can vary by group.

Ideally, global security officers would find passionate champions inside each mini-culture who understand what motivates their particular group of people and let the local champions help to roll out programs that would entice their groups. The training can be the same for everyone, but the motivation to complete the training can change from culture to culture.

For example, if one culture is particularly family focused, perhaps offering the same training to their family to protect them at home would be enticing. Or perhaps there’s a location with its own rugby team, soccer team, etc., where the training can become competitive. They could run contests to determine who scores the highest, or which group got 100% of employees to complete training first.

One of the things that our research has taught us is that in order for anyone to learn, the content needs to be relevant to the trainees. That’s what this mini-security awareness campaign approach would do...make the idea of completing training relevant and appealing to the audience.

Here’s Rashmi Knowles blog post.