Dec 26, 2017
So you know what makes a great security awareness training program. The next question is: how do you go about implementing such a program? In today's post I run through three ways to maximise the chances of a successful security training program implementation.
Start With Your Homework
Before you get started with implementing a security training program, you need to understand what you're dealing with. You need to interview as many people within your organisation as possible, and learn about the systems and devices they use as part of their roles, and what they use them for. You need to think about all the various departments within your organisation, and different levels within your organisation. The best programs will be tailored, so that employees are only taught about concepts and risks relevant to their role. For example, it's no use giving your receptionist security awareness training designed for a senior manager - it's likely that you'll cover too many topics that are irrelevant to the receptionist, making it difficult for the individual to understand what's important for their role and what isn't. This only results in failure. Another important thing to consider is the level of access these people have to systems. Who needs access to what systems, and why? Is there specific training required for using specific systems?
Secure Senior Buy-In
The implementation of your security training program needs senior buy-in. Unless there's someone at the top of your company backing your program, it's unlikely to be effective. Employees have to take time away from their day-to-day roles in order to take part in training programs. If they don't see that the senior management team is serious about the program, they won't commit.In an ideal world, you should try to secure backing of the chief executive, chief operations office or chief information office. With buy-in at such a senior level, employees organisation wide will treat the program seriously.
Keep It Simple
There's no point in trying to roll-out an in-depth security training program immediately. If you're not currently doing any training, then start with some small steps. For example, you could begin by rolling out basic security awareness training software to all your employees. Require them to study with the software, and take a test indicating their understanding.Once you're confident that employees organisation wide have caught grasp of the basics, you can think about additional training for the various departments you identified when you were doing your homework. Focus on the areas of the company that pose the biggest risk to security if training is insufficient. Good places to start may be your software development teams, or people with direct access to the organisation's most sensitive documents.