One of the biggest missed opportunities in cybersecurity training is ticking the compliance box to cover your entire organization’s cybersecurity training or focusing on one month only and neglecting it the rest of the year.
In situations like these, it’s like studying for a college exam and highlighting the whole entire textbook. When everything is a priority, nothing is a priority. When it comes down to the wire, this can lead to serious vulnerabilities.
It’s as simple as that. Human Risk Management is about informing, empowering, and engaging individuals to be at the helm of their own active security choices, and quite frankly, people aren’t motivated to do any of that if the compelling force is pushing them to do it or else. When the real threat behind you is more pressing than the potential threat in front of you, employees can’t learn, and don’t care. They may attend the training, check the boxes, and meet the compliance quota, but does that actually make change happen? We don’t think so. This is where so many businesses are at, and we believe that it can be so much better.
To break down why this doesn’t work, let’s reframe the whole concept.
It’s simply not effective to spend one frantic month cramming in all of the brain-numbing, punishment-heavy, point-and-click training just to check a box somewhere that says you did it—and data agrees.
If the goal is about changing behavior, then the best and most effective way to truly change behavior is to integrate those opportunities for learning and growth in an organic way. There’s no Olympian on the planet who only trains for one week out of the year, calls it good, and hopes for the gold. There’s no way you’d trust your surgeon if she walked in and told you that she’d crammed for your upcoming transplant surgery and was just hoping things would figure themselves out on the operating table. We can do better.
Instead, Security Program Owners can and should provide unique training content every month. Unify, Living Security’s Human Risk Management solution, makes every month awareness month, and means you can not only respond to real-time metrics with appropriate training opportunities, but also leverage real-time events as teachable moments for your whole organization.
Sometimes, a classic is a classic for a reason, but in this case, "the way it’s always been done" isn’t good enough.
If compliance-based training had been working in the last 10 years, we would’ve seen the percentage of cybersecurity incidents involving humans go down, but it hasn’t. Security awareness training is an important part of the conversation, but it’s just not enough. There has to be more, your training program should be about the why that drives the how.
Reframing the question to be about the results you want and the behaviors it will take to get there means that security training for your company isn’t about prepackaged training modules that are likely to already be out of date. It’s about of-the-minute observations and insights that can drive behavior change. Plus, by focusing on these particular activities and taking action accordingly, you can more effectively prove the ROI of your security program.
We’re honored to have recently been named a leader Security Awareness & Training in the Forrester Wave report, and we believe that Living Security truly is leading the way in the areas where it matters most: doing more than just pay lip service to awareness, behavior, and culture changes in order to reduce human risk; providing meaningful security culture metrics that truly improve training, behavior, and outcomes; and offering innovative solutions that disrupt the future of SA&T in all the right ways. As the report says, “You need a different way to manage human risk, not better ways to train people.” We absolutely agree.
Check out the full Forrester Wave report here to learn more about why Living Security is a leader in Human Risk Management.