Even with a fantastic security training program and full executive support, there’s still a significant barrier for your organisation to overcome: your employees.
Security training has a bad reputation, with many employees regarding it as a distracting waste of time and energy. To help you overcome these misconceptions, and help your employees to get the most from a security training curriculum, we’re looking at the three biggest reasons why employees aren’t satisfied with security training.
1) It Interferes with Their Job
Traditional security training is disruptive, slow, and quite often, boring. The classic classroom-based training model usually requires employees to take several days away from work. With looming deadlines and a ton of other commitments to attend to, time away from work can be the last thing on an employee’s mind. In many cases, this is enough to turn employees away from the concept of security training, and limit their drive to engage with it.
This problem is particularly prevalent within development teams. Secure software development is a crucial tenet of improving organisational security, responsible for as much as 80% of security attacks. Crucially though, software developers often have incredibly demanding, time-intensive schedules. They’re judged on their ability to create fast, effective, feature-rich code, and spending time poring over code for potential vulnerabilities, or engaging with drawn-out training sessions, is detrimental to their primary role.
To overcome this problem, training needs to be implemented alongside existing commitments. Time needs to be explicitly blocked-out for training, and any concurrent deadlines or projects needs to have time for training built clearly into their deadlines.
2) Courses are Irrelevant
Effective security training needs to cover a broad pantheon of topics and techniques. Whilst all employees will benefit from an understanding of the core staples of organisational security, there are many aspects of security training which will prove irrelevant, and uninteresting, to your employees.
Training needs to be role-specific – with modules chosen to suit the specialisation of its participants. Developers in particular often specialise in certain programming languages (like C++, Java and PHP), development methodologies (particularly agile software development) and technologies (like cloud development). To help employees stay engaged with training, it’s essential to reflect these specialisations with the training you implement.
Thankfully, computer-based eLearning courses make it easy to develop a role-specific syllabus. In addition to a handful of core sessions, it’s easy to pick-out individual modules to suit the needs of employees. These modules can be suited to their specialisations and security knowledge, and engaged with in a quick and efficient way.
3) They Don’t Understand the Need for Security Training
For many employees, security is an afterthought, and for others, an inconvenience. Without organisation-wide awareness of the need for security, it’ll be extremely challenging to get employees to engage with training in a meaningful and effective way.
This is in evidence on a daily basis, with employees from all areas of an organization regularly (and repeatedly) making simple security mistakes. From the use of weak passwords for multiple logins, through to insecure personal mobile devices used for sensitive corporate work, security breaches and threats are extremely commonplace in the majority of organisations.
So, before rolling-out a security training program, make sure the need for training is explicitly addressed:
- Prioritise security from the top down, with active participation from senior executives and the c-suite.
- Bring in experts to talk about the need for security, and the ramifications of poor security practices.
- Periodically refresh and revitalise your security training, and raise repeat awareness for the topic.
To learn more about the most effective way to roll out a security training program, you can download our free whitepaper below.
