During the 2016 National Cyber Security Awareness Month in October, Frederick Scholl wrote an intriguing article for CSO Magazine entitled, “Time to kill security awareness training.” Many people expressed the view that the headline was a shocker.
Some security pros who commented on the article directly, or expressed their views on social media sites like LinkedIn, responded with strong push-back and a combined feeling of disbelief. Words like, “It’s not time to kill security awareness training. It’s time to kill Stupid Security Awareness Training.”
To summarize these reader sentiments in a few words: You’re going in the wrong direction.
Except, Scholl was not really proposing the death (or even the crippling or the cut-back) of security awareness training as others have done in the past. The author wants security awareness training to be stronger, more effective, more comprehensive, more in-depth and for responsibility to be spread to business areas.
In Frederick’s own words from the article:
- “We need to replace awareness with education.”
- “The goal of educating users about security is to facilitate an organizational change, so that security is part of the company culture.”
- “Obviously you need a security strategy. You also need to assign roles and responsibilities in the security structure. This needs to include the whole organization, not just the office of the CISO.”
- “Awareness training alone will not be enough to facilitate an organizational change.”
The reality is that the headline is clever, but misleading. Many readers kind of fell for clickbait and commented before they truly understood what was being proposed – or not.
[ ALSO ON CSO: How to craft a security awareness program that works ]
Yes! We need security culture change
I want to start by saying that I mostly agree with what Scholl says in this article. No doubt, we do need to change the security awareness training programs that many people suffer through once a year. Note: Some readers will want to debate the differences between security awareness training and security education, as is described in this article by Ira Winkler, but I don’t want to go there in this piece.
For more than a decade, I have been championing the view that organizational culture is the hardest part of security in any public or private organization.
And yet, security culture change is the “Holy Grail,” that is so hard to achieve. Yes, it does involve more than just security awareness training. As any good consultant from the Big 4 can tell you, lasting culture change requires ongoing resources (such as funding and staff time), executive buy-in as well as management leading by example. It requires the people, processes and technology to work together well.
One reason that culture change is so hard is that security must compete with ERP implementations and many other enterprise projects that are also preaching culture change. There are even best-selling books telling us how to Change the Culture, Change the Game.
Security awareness training can help change the security culture through ongoing attention on relevant topics like social engineering. Nevertheless, stale, old, awareness material certainly doesn’t help and too many programs keep doing the same thing and expect a different result.
Security awareness training is of the utmost importance these days, and I can’t stress that enough. It is the single most important thing that any organization, regardless of size or industry, can add into their employee’s training regimen.
But what makes security awareness training effective?
In equal parts it combines best practices in instructional design, robust security content, high quality training materials and interactive/game-based training. If offered with interactive content that teaches new security protection techniques and much more, the meaningful results can be measured.
Effective security awareness training truly changes security culture. People become engaged and start asking questions, they understand and report risks, and realize that security is not just a workplace issue but about their and their family’s security as well.
There have been many articles that point out that compliance is not enough for good security and many of those same principles apply to security awareness training. There are many helpful articles that will point out why security awareness programs fail, as well as articles on how to use gamification and other techniques to be more successful in security education.
Indeed, I teach a class all over the U.S. on How to Build a Successful Security Awareness Program. As described by NIST 800-50 and NIST 800-16, an effective, ongoing program goes much deeper than a once year hour-long video or some extra attention during October Cybersecurity Awareness Month.
Time for a new name for security awareness training?
But I want to go further and ask a few bold questions. If real culture change has been the security awareness goal for a long time, why can’t we achieve that goal?
Beyond, “it’s hard” or “the playing field of bad guys keeps changing,” what can we do?
Isn’t it time for a new emphasis on security awareness training that gets a better response from the masses than: “Been there, done that, got the T-Shirt?”
It may be time for a new, bolder name for security awareness training, but not everyone agrees that we need a name change. In fact, Marie White, Security Mentor’s CEO, thinks there are many legal, policy, framework and other challenges to changing the overall name that people know so well.
However, Marie does agree that it is time for a new focus in the security industry on training that drives true behavior change and for security awareness solutions that achieve this through gamification and a focus on brief, frequent and focused content that can change behaviors.
What do you think? In a world of insecure IoT devices and botnets being used to DDoS important companies, should we elevate or strengthen the importance of this effort? Do we need to issue end user driver’s licenses for the internet in the same way we do for driving on physical roads?
Should we change the name? If yes, how would you strengthen the name? What would you call it?
I’d love to hear your viewpoint.