Humanize the Security Awareness and Training Program
If it’s not human-centric, you’re not training your humans.
This content requires an active subscription.
Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.
View Storyboard
Contributors
- Sky Sharma, CIO
- Adrien de Beaupré, Certified Instructor and Penetration Tester, SANS Institute
- Robert Hawk, Information Security Expert, xMatters, Inc.
- Steven Woodward, CEO, Cloud Perspectives
- Riddhi Patel, Information Security Analyst, National Life Group
- Blair Panasiuk, Manager of IT Operations, Dynalife
- Erich Salie, Information Security Officer
- David Shipley, Director of Strategic Initiatives, University of New Brunswick
- Paul Daley, Sr. Analyst for Security Management, Risk and Audit, Toronto District School Board
- Glen Maxfield, IT Security Manager, Workers Compensation Board of Manitoba
Your Challenge
- The fast evolution of the cybersecurity landscape requires security training and awareness programs that are frequently updated and improved.
- Security and awareness training programs often fail to engage end users. Lack of engagement can lead to low levels of knowledge retention.
- Irrelevant or outdated training content does not properly prepare your end users to effectively defend the organization against security threats.
Our Advice
Critical Insight
- Your security training is not creating education, it’s creating information fatigue and, therefore, not getting absorbed.
- By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program.
Impact and Result
- Create a training program that delivers smaller portions of information on a more frequent basis to minimize effort, reduce end-user training fatigue, and improve content relevance.
- Evaluate and improve your security awareness and training program continuously to keep its content up to date. Leverage end-user feedback to ensure content remains relevant to those who receive it.
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should humanize your security awareness and training program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
1. Assess the maturity level of the security culture
Examine the current security culture and determine future target states.
2. Select an effective training delivery plan
Explore methods of training delivery and select the most effective solutions.
3. Build a reporting system and continuously update the training program
Discover the most effective methods for improving a training program after each iteration.
Guided Implementations
This guided implementation is a seven call advisory process.
Guided Implementation #1 - Assess the maturity level of the security culture
Call #1 - Perform an end-user group risk assessment.
Call #2 - Assess the current state of the security culture.
Call #3 - Define target state and establish minimum security awareness.
Guided Implementation #2 - Select an effective training delivery plan
Call #1 - Identify possible delivery methods.
Call #2 - Create an implementation timeline and training schedule.
Guided Implementation #3 - Build a reporting system and continuously update the training program
Call #1 - Establish a feedback loop and build accountability for end users.
Call #2 - Create a pilot program and ensure to update and evaluate the program continuously.
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess the Maturity Level of the Current Security Culture
The Purpose
- Identify the maturity level of the existing security awareness and training program and set future target states.
- Determine the unique audience groups within your organization and evaluate their risks and vulnerabilities.
- Prioritize training topics and audience groups to effectively streamline program development.
Key Benefits Achieved
- Identified the gaps between the current maturity level of the security awareness and training program and future target states.
- Created a comprehensive list of unique audience groups and the corresponding security training that each group should receive.
- Determined priority ratings for both audience groups and the security topics to be delivered.
Activities
Outputs
Select your executive champion.
- Executive champion support
Evaluate your end users’ current knowledge.
- Knowledge of end users’ current knowledge level
Assess the maturity of your current awareness and training program.
- Maturity score of current training program
Identify your user groups and their corresponding topics.
- Chart of audience groups and the security topics that each needs to receive
Analyze your organization’s current IT environment and set a target state.
- List of risks and vulnerabilities for each audience group
Set a minimum security awareness level and prioritize your topics.
- List of prioritized training topics
Module 2: Plan the Training Delivery
The Purpose
- Identify all feasible delivery channels for security training within your organization.
- Establish program milestones and outline key initiatives for program development.
- Create an ongoing training schedule.
Key Benefits Achieved
- Outlined a detailed plan for program development, including a timeline for planned initiatives and initiative ownership assignment.
- Created a schedule for training deployment.
Activities
Outputs
Refine your approach to training.
Identify available delivery methods.
- A list of delivery methods to use for training deployment
Build an implementation timeline and training schedule.
- A schedule for completing program initiatives and a schedule for delivering training sessions to the organization
Create customized training materials.
- Customized training materials
Module 3: Outline the Plan for Long-Term Program Improvement
The Purpose
- Define the end users’ responsibilities towards security within the organization.
- Document results gathered from previous workshop modules.
- Create a plan for deploying a pilot program to gather valuable feedback.
Key Benefits Achieved
- Defined role of end users in helping protect the organization against security threats.
- Finalized security awareness and training program manuals.
- Created a plan to deploy a pilot program.
Activities
Outputs
Create accountability for your end users.
- A customized definition of end-user responsibility towards security within your organization
Document and evaluate your training program.
- A training manual containing all information regarding your training program
Design a pilot program.
- A plan for deploying a pilot program capable of harvesting valuable feedback for improving your program
