All employees need security training, yet it’s generally a resented afterthought. A variety of studies over years show that human error is generally felt to be the largest vulnerability in organizations.
For technology companies like SaaS providers, who also need to ensure its developers and engineers are on top of their security game, there are further risks from passing on threats to customers down the software supply chain. Tech and non-tech colleagues must play their part – and that only comes from lifelong learning.
Tech companies must be on top of their staff education, training, and best practices. Every aspect of their delivery must minimize the risk to the business, staff, customers, and their customers’ clients, too. Technical and non-technical staff must be trained to quality standards, with the most widely applicable being SOC 2 and ISO 27001. Additionally, there are various data security, privacy, and financial processing regulations as well, relevant to certain industries and staff roles.
Security training has always been a real challenge for tech companies. Product innovators race ahead to get to market, and there’s a drive to “move fast and break things”. With scale come other business, tech, and people challenges, and security must compete with many other urgent and important priorities. By the time many firms take it seriously – and even when they do – it’s not on the radar of most employees. It’s time for that to change.
Taking security more seriously means committing to training
Everyone claims to take security seriously, but if CISOs and department leads are not regularly and frequently (this is the key part) refreshing, testing, or even deploying red team tactics against all employees, then they are not being totally honest with themselves.
Without frequent refresher training and a culture that develops and supports a security conscious workforce, the risk to the business is great. People make or break a secure environment, and they make mistakes, forget, or get tricked easily.
And with AI and machine learning now being used to create more realistic and more targeted lures, the only way to mitigate this the risk is with continual training and ongoing awareness.
Top tips for making training that sticks
Teach the why, not merely the what
This is essential for any training of any type. Demanding compliance makes the mandated procedures seem like an imposition, and all security an obstacle to be avoided. Explain the security vulnerabilities and common pitfalls so that users realize the importance of their vigilance. Explain the consequences to the business and to each user (both in their professional and personal and family life).
Do not shy away from technical details
Your tech team will want to know any limitations that impact their ability to execute.
Where security solutions or steps may affect delivery, this must be accounted for AND explained properly to senior leaders in terms of risk and incident management. These senior leaders must be prepared for security to slow things down and support this – security awareness is critical if this is to be part of a top-down approach to security.
Non-technical staff will understand the scale and dangers present much better when training is backed up by exercises and activities that put them at the center of the threat, followed by stats on breakout times, estimated remediation costs, and the business impact for them and employee security should losses occur. Relevant detail underscores the importance of the exercise.
Be human, be real
Cover the major areas of risk – social engineering, passwords, physical security, data handling, and compliance, etc. – but don’t forget being human.
Technical and line-of-business people alike must understand what the major areas of risk are for the business and their own roles. Think about the culture of humans interacting with humans. Make it safe for people to check in or admit fault when they take their training back to the real world.
Make it accessible for everybody
Security training must speak to the skilled and security literate to keep them fresh and humble. It must also not overwhelm the less technically literate or turn them off.
It’s worth tailoring the message to the role and seniority of the audience, and training peer groups together. It doesn’t do any good for juniors to not ask for clarification because they are overawed by the manager sitting next to them.
Having experts design training that speaks to cohorts by their requirements helps avoid people zoning out. Everyone – whether they admit it or not – loves a good horror story; play to that with engaging story-based training that will motivate users to share and discuss.
Be funny, be memorable
Deploy all the best practices of a raconteur so that written elements sparkle and spoken parts land well. Great security training is not bland – it’s important and deserves to be impactful.
Remember: spaced and varied repetition is key to embedding learning for the long-term. CISOs must run the risk of becoming unpopular by insisting on frequent, regular training and refreshers. Regular training – the standard annual refresher training – isn’t enough anymore; frequent planned and surprise training must be provided. Deploying red teams and surprise exercises can really raise your employees’ game. Whatever the results, ensure a culture of learning rather than blame, and incentivize the right levels of transparency, inquiry, and honesty.
Give engineers the tools to create security-by-design
Your technical and product teams need even more security training to embed best practices into the CI/CD workflow and ensure solutions are not vulnerable to known risks.
Invest in the tools and training that give technical staff the frameworks and models to make security a simple and easy step when creating great products. It’s cheaper to avoid vulnerability or future breach at the development stage. Stand up to cost cutting pressures by pointing to products that ended up causing problems due to lackluster security, and present a case that shows that secure products secure profitability.
Overcome all challenges and make it count
All-in-all, security awareness training is essential, and must be a live, evolving process.
Take the same care and attention with the content, style, and delivery as one would with both a wedding speech and a presentation to investors. Style should never trump content, but if awareness training is to be effective, it should be a very close second.
To create more secure outcomes firms must up their security training game, or our whole digital world will get a little worse, one product, one system, one day at a time.