As more and more industries add security awareness and training to their list of compliance-related initiatives, more and more infosec teams (as well as corporate education groups and and governance, risk management, and compliance [GRC] officers) will find themselves tasked with delivering cybersecurity education to their employees. In fact, given today’s climate, it’s likely — mandated or not — that you have already implemented some type of program.
Whether it’s on the horizon or front and center, ask yourself this: How do your end users feel about security awareness and training?
First off, if your initial thought is, “I don’t really care how they feel about it. They just have to do it!” I would suggest taking a step back and putting yourself in their shoes. How receptive are you when those types of exercises are thrust upon you?
It goes without saying that there are plenty of things that all of us are asked to put in the it’s-not-for-me-to-like-it’s-for-me-to-do pile. (Flashback: 1983. A Saturday morning in Pittsburgh. Dust rag in the form of an old sock in my hand. The smell of Pledge filling my nose.) But why do that if you don’t have to? The truth is that security awareness and training doesn’t have to be regarded as a chore by your end users.
Your Cybersecurity Training: Stagnant or Fresh?
Today, I challenge you to think of cybersecurity education in a different way. I challenge you to think of it not just as a “checking the box” activity but also a “filling the bucket” activity. Yes, a once-a-year, soup-to-nuts presentation or video about all things cybersecurity will allow you to both check the box and fill the bucket. But a year from now, what will the contents of that bucket be like? Think of water that would sit, untouched, for a year. Not so fresh, right? What (other than Twinkies and M&Ms) could withstand a stagnant period of that length and still be of value?
At Wombat, we take a different approach to employee training, delivering short, bite-sized, palatable bursts of information that can be used to nourish end users’ understanding year round. Can you check the box? Absolutely. The difference is in how you fill the bucket. Regular infusions of awareness and training keep things fresh and interesting.
To Bore or Not to Bore? That Is the Question.
We based our training approach on proven Learning Science Principles because we wanted to change behaviors and help organizations successfully manage end-user risk. Our feeling is that you can’t expect different results if you continue to use methods that have been shown to be less effective from an educational perspective.
The icing on the cake? End users see the difference. But don’t just take our word for it. Here’s what some of our customers have told us about their employee engagement:
Unlike other places where employees often view awareness training as an annoyance, we get a lot of unsolicited emails thanking us for the training and even asking if they can share it with family.
Great product, easy to use, and results are seen with end-user responsiveness.
We love the format of the training and the education it contains. I constantly have positive feedback from employees on the training and the awareness they have gained.
Our users love the training. It keeps them engaged. I would most definitely recommend the training to others.
The modules are good – short and enjoyable for most people, which is why I continue to renew.
Feedback from staff indicates that training is working and is effective. No negative reviews and a couple of inquiries asking if Wombat training is available for individuals (“I'd like my husband/wife to take this course”).
Keep these quotes in mind if you have complaints about “boring” end-user security programs or employees who don’t seem to be “getting it” from the current education materials you’re using. Security awareness training doesn’t have to be a snooze fest. Users who are attentive and engaged are going to turn into security advocates for your organization, which is a win no matter how you look at it.