Feb 05, 2018
An education program can have a transformative effect on all aspects of an organisation’s security. Unfortunately, many businesses fail to realise these benefits, and find themselves investing into an expensive and ineffective drain on resources. Thankfully, there are a few simple guidelines that can prevent these problems from emerging. Today, we’re covering eleven simple tips to help you create an effective security education program for your organisation.
1) Prioritise from the Top-Down
Effective security adoption has to start with the c-suite. Without an executive mandate, your organisation will struggle to enforce the importance of security training.
2) Roll-out Regular Awareness Training
Security education is designed to change ingrained habits – a process which requires ongoing security training. In the same way that bad habits develop over months and years, good security habits will take regular training to reinforce.
3) Sell Security in Terms of Benefits
It’s far easier to engage with any kind of training when the benefits of doing so are clear and explicit. Wherever possible, communicate the value of education through the benefits it can impart – like time savings from a reduced need to remediate vulnerabilities.
4) Don't Impact Existing Responsibilities
Security education requires a commitment of time and energy from its participants. When employees are already working to tight schedules and inflexible deadlines, training can be detrimental to their primary role. Security programs need to acknowledge this, and explicitly block out small amounts of time for training sessions.
5) Develop a Security Syllabus
As we’ve already mentioned, a one-off training program won’t be enough to change security habits for the better. Your organisation needs to developer a syllabus of training courses, choosing a selection of varied, engaging and role-specific security modules to offer relevant, ongoing training to your employees.
6) Create a Repository of Security Knowledge
For security to be an autonomous process, it’s essential to develop a centralised repository of security information – allowing employees to refer back to their training whenever they encounter a security issue in their day-to-day roles.
7) Hold Security Q&A Sessions
It’s important for employees to feel comfortable identifying and raising awareness of security vulnerabilities. Q&A sessions with a security expert can help improve security knowledge, and most importantly, start a conversation around security practices. If you're concerned that staff will struggle to broach security issues with an in-house team member, bring in an external expert to start the dialogue.
8) Improve Security's Reputation
Education programs will often bring security and development teams to a head, with developers frustrated by security’s criticisms, and security frustrated by recurring vulnerabilities. It’s essential to be pro-active, and take steps to improve security’s reputation within your organisation.
9) Regularly Test Security Knowledge
Testing is a crucial part of security education, both for assessing the efficacy of your chosen program, and proving its value to senior executives. As a result, it’s a great idea to choose a security program that offers short tests at the end of each module.
10) Reward Individuals Who Excel
It’s important to praise and award recognition to participants who excel at the training program. Many organisations even choose to make these participants ‘security advocates’ – and enlist them to promote the program to their peers.
11) Facilitate Employee Competition
By encouraging friendly competition, you can often coax improved performance out of your employees in an enjoyable and challenging way – especially between close-knit teams of competitive developers!