Jerich Beason, CISO, Commercial Bank at Capital One, equates the Great Resignation with the great onboarding.
“If you are a cyber leader, you are likely onboarding new talent this year. My experience is that the first week onboard sets the tone for that person’s tenure,” he writes in an online post. “Don’t take this opportunity lightly. You only have one chance to make a first impression.”
He says critical tasks to handle during onboarding include providing an overview of the security vision, mission, and core values as well as walking new employees through the security strategy and roadmap.
Other CISOs echo Beason’s insights, saying it’s essential to get new employees quickly and effectively onboard with the organization’s cybersecurity program.
A 2021 report from TalentLMS and Kenna Security speaks to the need for attention in this area. They surveyed 1,200 employees on their cybersecurity habits, knowledge of best practices, and ability to recognize security threats and found that although 69% of respondents received cybersecurity training from their employers, 61% failed a basic quiz on those subjects.
Veteran security leaders say there are ways to make security training stick better, starting from an employee’s first days on the job. Here they offer seven strategies on how to make security onboarding more effective.
1. Make sure they know cybersecurity is part of their job
New employees are being bombarded with information, and their ability to retain highly technical data or very detailed processes during the onboarding process is likely limited as a result.
“When someone comes onboard, they’re overwhelmed – they have a new job, new technology, new boss,” says Lance Spitzner, technical director for the Security Awareness & Training program at the SANS Institute.
So instead of trying to deliver all the required cybersecurity training at once, Spitzner recommends imparting the key message that as employees they have a role in and responsibility for security.
“We don’t want people thinking, ‘I’ve got antivirus, and we’ve got a security team, so I’m all set,’” he says, noting that the most effective onboarding programs are those that set expectations and cultivate a security mindset. “They make sure that new workers know cybersecurity is part of their jobs, that it’s not just the cybersecurity team’s job, that they are just as responsible for it as everyone else.”
2. Make sure they know how to do their job securely
Given the overwhelming volume of information coming at new employees, veteran CISOs say effective security sessions teach them specifically what they need to start doing their jobs securely and making sure they’ve got those basics down pat.
“I have seen onboarding where the awareness training is pretty general and then on the final page, as they’re wrapping up, there’s a set of links to the specific company policies, contact information if there’s an event, and a link to the secure portal. That’s not very helpful if I’m a new employee and the details on the tools that I actually need to do my job are on the last slide,” says Andrew Retrum, a managing director in the Security and Privacy Practice at Protiviti.
Instead, he says onboarding should center around teaching new workers about the specific security features, functions and tools to use as well as the company’s policies on secure emailing, properly classifying data, exchanging protected information with third parties securely, and handling other typical tasks in a secure fashion.
“Those need to be clearly articulated, so when the employee starts doing their day-to-day job, they know how to do it securely,” Retrum says.
3. Engage
Another, related piece of advice from veteran CISOs: Don’t lecture, but engage.
“The message is that we’re all responsible for security and part of the success for security. That’s it. We all have to work together on this. But [getting buy-in on that message] comes down to showing them that they’re important and creating connectedness,” says Rich Lindberg, vice president of information security and CISO with JAMS Inc., a firm offering alternative dispute resolution services, and an advisory board member with the Southern California chapter of the Society for Information Management (SCSIM).
To build a rapport, Lindberg says he or one of his team members spends time talking with new hires.
“I could make an informational briefing, I could just give them the rules, but instead it’s ‘Hi, how are you? Who are you. Here’s who I am. Here’s what our department is. Here’s what we can do for you. Engage us anytime you need help.”
“I treat them like they’re my customer, and I ensure a high level of customer service.”
4. Tailor the onboarding training to your own organization
Much of the messaging for new employees is standard across organizations, but CISOs need more than a generic training module, says Jason Rader, vice president and CISO of global tech company Insight Enterprises.
“I have found, and we’ve gotten feedback on this, that the modules can be so generic that they’re useless,” Rader says, explaining that off-the-shelf training options may meet compliance requirements but don’t necessarily equip new workers with the knowledge they need to operate securely.
He has seen training sessions use videos that simply state “follow your company’s bring-your-own-device policy” and “follow your own company’s password policy” without providing the actual policies.
As a result, Rader says he’s attentive to supplementing basic onboarding material with more information specific to Insight’s own security program. “I’m trying to make it very specific to the organization, with me and the CIO talking about how this works for us,” he adds.
On a similar note, Retrum reminds CISOs to refresh and update their training as needed. As he points out: “Risks change, so what was relevant 18 months ago might not be now.”
For example, he has seen security training focus on physical security with no mention of smishing—phishing via text messages—even though the former may be a lower risk and the latter on the rise.
5. Cover the basics in a standardized approach
Terence D. Jackson, a chief security advisor at Microsoft, a former CISO, and author of an onboarding security checklist, says he has encountered companies whose security onboarding was done in an ad hoc manner.
“It wasn’t formalized, it was more tribal knowledge, where you get paired with someone in a shadowing-type scenario, which wasn’t backed up with hard documentation or training materials,” he recalls.
Jackson and others warn against that approach, as well as assuming that today’s workers come in with a basic understanding of cybersecurity.
They stress the need to cover security fundamentals in a standardized, repeatable approach to make sure everyone—regardless of their role, experience, and longevity in the workforce—knows exactly what’s expected of them.
“You can’t expect someone to follow a rule that you don’t tell them about, that you haven’t defined,” Rader says.
Beason says Capital One typically onboards people making their first foray into corporate life, long-term workers, and others in-between; their past experience is no guarantee they’ll know all that’s expected of them.
“We want all new workers to know the expectations we have, because security is not the same at every organization,” he says. “So before you give anyone access to your environment, you want to make sure they can operate in that environment securely, so they know the best practices and acceptable use, how to use email, what are your expectations. You want to give them those fundamentals.”
6. Tailor training to the individual, the role
Although the information around foundational security elements should be consistent and standardized, some CISOs say they’ve found success in sharing that information in different formats.
“It’s having a baseline approach with the ability to tailor it to the individual’s needs and build from there. I believe the best programs incorporate that mindset,” says Jackson.
He adds: “Give [workers] the modalities they need; be flexible to meet their needs. Programs that do that tend to go over better than those with one-size-fits-all perspectives.”
Jackson points to his most recent onboarding experience, which allowed new workers to read, listen, or simultaneously read and listen to the material. He himself says he often prefers listening to training materials but favors listening and reading together when taking in more complex information.
In addition, he says successful onboarding training programs tend to tailor advanced materials to roles and business units and also use training tools that let new workers move quickly through material they can demonstrate that they know so they can focus more attention on new material.
It’s all about meeting the workers where they are. Jackson adds: “Try to keep the employee at the center.”
7. Make the onboarding lessons part of continuous training
Ram Hegde, senior vice president and CISO of Genpact, an IT service management company, believes the security message for new employees should be “lightweight but effective.”
And like others, he believes individuals can’t absorb all the material they’re getting when starting a new job.
“So it’s probably not the best time to bombard them or to plan on getting a lot done. Think of a baseline training, focus on the biggest risks,” Hegde adds.
With that in mind, he uses an online interactive training module, which allows new workers to move quickly through the material they already know and spend more time with new information.
“It ensures that they get what they need, but it’s not keeping them longer than necessary,” he says, adding that he had had feedback on previously-used material that it was long, boring, and redundant—all of which prompted the company to move to the shorter, more engaging module.
The company then follows up, rolling out more detailed training to new workers as they settle into their jobs.
“For us, we want to make sure we’re hitting the key aspects first, allowing for a variety of backgrounds, and then downstream we have more targeted training based on the profile of the employee,” Hegde explains.
Others stress the importance of that approach, pointing out that it aligns with widely held best practice that security awareness training is not a one-and-done exercise.
“You can’t realistically build good security behaviors in 30 minutes [of training] no matter how interactive it is,” Spitzner says. “So the key part to making new people secure is continuous training throughout their career. So when they onboard, you tell them it’s their responsibility and as long as you’re here, you will be continuously trained on cybersecurity. That continuous training is what really builds that security culture.”