Develop a Security Awareness and Training Program That Empowers End Users

Turn end users into your organization’s secret security weapon.

Do not fill in this field

Enter no text in this field

Get Instant Access
to this Blueprint

Business Email

Full Name

Company

Phone

Job Title

View Storyboard

Contributors

Sky Sharma, CIO
Adrien de Beaupré, Certified Instructor and Penetration Tester, SANS Institute
Robert Hawk, Information Security Expert, xMatters, Inc.
Steven Woodward, CEO, Cloud Perspectives
Riddhi Patel, Information Security Analyst, National Life Group
Blair Panasiuk, Manager of IT Operations, Dynalife
Erich Salie, Information Security Officer
David Shipley, Director of Strategic Initiatives, University of New Brunswick
Paul Daley, Sr. Analyst for Security Management, Risk and Audit, Toronto District School Board
Glen Maxfield, IT Security Manager, Workers Compensation Board of Manitoba

The fast evolution of the cybersecurity landscape requires security training and awareness programs that are frequently updated and improved.
Security and awareness training programs often fail to engage end users. Lack of engagement can lead to low levels of knowledge retention.
Irrelevant or outdated training content does not properly prepare your end users to effectively defend the organization against security threats.

Our Advice

Critical Insight

One-time, annual training is no longer sufficient for creating an effective security awareness and training program.
By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program.

Impact and Result

Create a training program that delivers smaller amounts of information on a more frequent basis to minimize effort, reduce end-user training fatigue, and improve content relevance.
Evaluate and improve your security awareness and training program continuously to keep its content up-to-date. Leverage end-user feedback to ensure content remains relevant to those who receive it.

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop a security awareness and training program that empowers end users, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Develop a Security Awareness and Training Program That Empowers End Users – Executive Brief

1. Develop your training program

Create or mature a security awareness and training program that is tailored to your organization.

2. Design an effective training delivery plan

Explore methods of training delivery and select the most effective solutions.

Guided Implementations

This guided implementation is a four call advisory process.

Guided Implementation #1 - Develop your training program

Call #1 - Build a development plan for your training program.

Call #2 - Learn best practices for the execution of development initiatives.

Guided Implementation #2 - Design an effective training delivery plan

Call #1 - Identify possible delivery methods.

Call #2 - Create a training schedule.

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Outline the Plan for Long-term Program Improvement

The Purpose

Identify the maturity level of the existing security awareness and training program and set development goals.
Establish program milestones and outline key initiatives for program development.
Identify metrics to measure program effectiveness.

Key Benefits Achieved

Identified the gaps between the current maturity level of the security awareness and training program and future target states.

Activities

Outputs

1.1

Create a program development plan.

Customized development plan for program.

1.2

Investigate and select metrics to measure program effectiveness.

Tool for tracking metrics.

1.3

Execute some low-hanging fruit initiatives for collecting metrics: e.g. create a knowledge test, feedback survey, or gamification guide.

Customized knowledge quiz ready for distribution.
Customized feedback survey for training.
Gamification program outline.

Module 2: Identify and Assess Audience Groups and Security Training Topics

The Purpose

Determine the unique audience groups within your organization and evaluate their risks and vulnerabilities.
Prioritize training topics and audience groups to effectively streamline program development.

Key Benefits Achieved

Created a comprehensive list of unique audience groups and the corresponding security training that each group should receive.
Determined priority ratings for both audience groups and the security topics to be delivered.

Activities

Outputs

2.1

Identify the unique audience groups within your organization and the threats they face.

Risk profile for each identified audience group.

2.2

Determine the priority levels of the current security topics.

Priority scores for all training topics.

2.3

Review audience groups and determine which topics need to be delivered to each group.

List of relevant security topics for each identified audience group.

Module 3: Plan the Training Delivery

The Purpose

Identify all feasible delivery channels for security training within your organization.
Build a vendor evaluation tool and shortlist or harvest materials for in-house content creation.

Key Benefits Achieved

List of all potential delivery mechanisms for security awareness and training.
Built a vendor evaluation tool and discussed a vendor shortlist.
Harvested a collection of free online materials for in-house training development.

Activities

Outputs

3.1

Discuss potential delivery mechanisms for training, including the purchase and use of a vendor.

List of available delivery mechanisms for training.

3.2

If selecting a vendor, review vendor selection criteria and discuss potential vendor options.

Vendor assessment tool and shortlist.

3.3

If creating content in-house, review and select available resources on the web.

Customized security training presentations.

Module 4: Create a Training Schedule for Content Deployment

The Purpose

Create a plan for deploying a pilot program to gather valuable feedback.
Create an ongoing training schedule.
Define the end users’ responsibilities towards security within the organization.

Key Benefits Achieved

Created a plan to deploy a pilot program.
Created a schedule for training deployment.
Defined role of end users in helping protect the organization against security threats.

Activities

Outputs

4.1

Build training modules.

Documented modular structure to training content.

4.2

Create an ongoing training schedule.

Training schedule.

4.3

Define and document your end users’ responsibilities towards their security.

Security job description template.
End-user training policy.

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

Performance Trust Capital Partners

Guided Implementation

10/10

N/A

Ian had great ideas and overall was very helpful. 10/10 would definitely seek help from him again.

Federated Co-operatives Limited

Guided Implementation

10/10

$2,000

Public Safety Canada

Guided Implementation

9/10

$50,000

Gallagher

Guided Implementation

10/10

$2,458

This is a terrible way to measure this Guided Implementation! The templates given as part of the blueprint were decent starting points, but the style was such that we rebuilt them all in-house. So while there wasn't significant dollar-value or time s...

STERIS Corporation

Guided Implementation

10/10

$2,458

Ian is very knowledgeable. He has solid input that he can back up with research and always puts me in the right direction.

Fleet Feet Sports

Guided Implementation

10/10

N/A

It was hard early on to explain the lack of IT in our organization, and how lack of budget and the general "ask your IT department" guidance in most training was not applicable for us. Once I started talking with Ian, he met us where we were. He poin...

The City of Spruce Grove

Guided Implementation

8/10

$3,000

Health Alliance

Guided Implementation

9/10

N/A

The material Ian was able to provide and the experience

City Of Durham

Guided Implementation

9/10

N/A

Relevant insights on the topic were discussed. This will enable me deploy an efficient Cyber Security Awareness campaign that aligns with best practices.

Selkirk College

Guided Implementation

9/10

$10,000

Ian's diverse knowledge helped me with my projects immensely. He always has great advise, is very patient and easy to understand. Ian provided me with examples I could use in my projects which was a huge help. thank you so much

STERIS Corporation

Guided Implementation

10/10

$15,980

Ian is great to work with. He understands the needs of the customer and works with them to manage an effective program. He knows how to explain the materials really well and walk the customer through the tools to get the most out of them. One of the best...

Gopher Resource

Guided Implementation

10/10

$3,000

INTEGRA-CO INC

Guided Implementation

9/10

N/A

STERIS Corporation

Guided Implementation

10/10

$12,292

Ian does a phenomenal job understanding the needs of STERIS, how we are looking to grow our Security Awareness program, and developed tools and metrics around what Steffanie was looking for. He was also able to transfer that knowledge on to me when Steff...

Auckland Transport

Guided Implementation

8/10

N/A

Ian gave great direction after understanding where we are placed with our current security awareness program.

Federated Co-operatives Limited

Guided Implementation

9/10

$7,000

Yamana Gold

Guided Implementation

10/10

$25,000

The Analysts on the calls were very good at understanding my needs and providing recommendations and tools specific for my situation. Difficult to think of a "worst part" in such a pleasant discussion.

Ottawa Police

Guided Implementation

10/10

$25,000

I found Ian's knowledge to be very comprehensive in the area of Security Awareness training. Ian had very good insight into the value of the companies that are involved in the industry.

County of Nevada

Guided Implementation

9/10

N/A

Ian listened and provided helpful suggestions

Town Of Marana

Guided Implementation

10/10

$12,733

Ian was amazing! His knowledge on the subject-area allowed us to go with a product we otherwise would have never known about. I was able to demo different products with staff to ultimately select a solution that we are confident will resonate with our end users. It's very refreshing to speak with someone who is unbiased and ultimately cares about your needs!

Palm Beach State College

Guided Implementation

10/10

N/A

Ben was very helpful and knowledgeable about the subject matter of ?Humanize the Security Awareness and Training Program.?

Capital Regional District

Guided Implementation

9/10

$7,000

Ian is very knowledgeable and was able to assist me by providing best practice solutions to some of the issues that I have run into when implementing Security Awareness Training in the past. Very valuable insights. Also, Ian knew a lot about the various vendors in this space and provided me with very good recommendations and what to look out for. When I mentioned a new vendor in the space that Ian had not heard of he was able to reach out to them to do some initial research and provide me with his initial thoughts. He really went out of his way to help me and made me feel like an important client. I would be very happy to work with Ian again in the future.

South West Water

Guided Implementation

10/10

N/A

CIEE, Org.

Guided Implementation

10/10

$12,733

Great session with Ian on how to approach our Security Awareness program. It really helped.

Government of New Brunswick

Guided Implementation

9/10

N/A

Ian was very open to questions and provided helpful answers. Ian also provided good follow up material after the call.

Ohio State Bar Association

Guided Implementation

10/10

$2,419

Best part was Ian's advice, and reassurance that we were not the only client with gaps in our security knowledge. Worst part was trying to get dialed in to the conference bridge, but that turned out to be a problem on our end, not WebEx.

Thames Valley District School Board

Guided Implementation

8/10

N/A

The New York Racing Association Inc

Guided Implementation

10/10

N/A

Ian provided very valuable feedback and guidance, from features, pricing and rollout methodology prospective, on what should I be looking for in a Cyber security training program. I was able to find a suitable vendor and are now in process to roll out program here at NYRA.

Kinze Manufacturing

Guided Implementation

10/10

$6,366

There was no bad. I'd like to give you something to improve on, but it was professional, informative, and there was good follow up. I thought I knew who to look at but I was wrong. My current leader is a company Ian turned me onto.

Griffith University

Guided Implementation

10/10

$48,985

Ian Mullholland undertook a very detailed review of Griffith University's cyber awareness plan and provided valuable insights and feedback based on best practice review and very helpful suggestions in avoiding commonly biased areas in terms of measurement and evaluation of statistical results Ian also gave deep insights into some of the ways we can improve our application of our cyber awareness plan applied to our extensive cohort which will help ensure the success of the plan.