Western Union: Their bold new approach to awareness training (and why it's working)
John Schroeter recently sat down with Alex Yokley and Kim Hickman of Western Union to discuss their unorthodox approach to security training
By John Schroeter
November 06, 2013 — CSO — "I've been involved with security awareness training for several years now, and I can't remember one single compliment on any of our previous courses," sighed Alex Yokley, Director of Corporate Information Security at Western Union.
Sound familiar? Probably so, as too many people involved in training employees on information security are singing the same song. And who can blame the bored employees? The fact is most compliance training programs are incredibly dull. User surveys consistently report that the only reason people take the courses is because they have to.
It turns out that employees taking required courses are just checking a box—just like the many information security people who administer the training. It seems that "checking the box" rolls downhill. The only difference is, when the course takers check the box, they also check out, forgetting what they learned only minutes after completion.
But Yokley, together with information security engineer Kim Hickman, decided it was time to take a different approach—a radically different approach. An approach that would mean escaping from the box of traditional, yet ineffective and uninspiring training that ultimately yields nothing but annoyance and dissatisfaction. Did their departure from the well-worn path work?
It did, indeed. Upon rolling out the newly designed course, the duo began to sing a very different kind of song. "We've been overwhelmed," Yokley says, "by the incredible volume of positive responses we received within just the first 24 hours of launching the course. It was, in every respect, a huge success." And with hard data in hand to prove that success, Yokely and Hickman continue to push the boundaries of information security education. We recently sat down with them to learn more about how they accomplished it.
What led you to undertake such a bold awareness training initiative?
Kim Hickman (KH): For years we'd been conducting the traditional training courses; the usual bunch of slides that takes you 30 minutes to get through. And one of the things they all seem to have in common is they push way more information than anyone can realistically take in. What's more, they leave it to the course takers to decipher which pieces of that training actually apply to them. So rather than lose them altogether, we wanted to find something that would be more engaging and fun and yet still get the point across.
Alex Yokley (AY): Historically, our courses were like many other corporate training courses you see: lots of bullets, lots of words, lots of mandatory clicking, and a test at the end. They're just boring. Besides, the annual training courses are really not the ideal time and opportunity to be teaching people new concepts. People just don't retain the content when it's presented in that way. Rather, the annual event should be an occasion to reiterate the basic concepts that they should already know, but just need to reinforce. That led us to reevaluate the whole process, to approach the training in a different, more relevant and effective way. And that's what provided the spark to create what became the "Day in the Life" course.