Security Awareness Training. It’s a ubiquitous component of employee onboarding. It’s questioned on every prospect’s security questionnaire. It’s that thing that employees roll their eyes about. It’s compliance. Obligation. Most likely considered boring by the majority of your workforce.
But security awareness is a critical component of company culture. That’s right - it should not be just a requirement, just a box to check, just something relegated to the security team to care about.
Company cultures that prioritize security value customer trust and protection of their business.
Every single employee should, on some level, care about and be knowledgeable about security best practices - especially in a world where so many people are working remotely. Security can no longer be enforced via your corporate network; your employees must be aware of ways to decrease risk whether they’re at the office, on their home WiFi network, at a cafe or an AirBnB or an airport or an RV in a national park…you see where I’m going with this.
While there are a wealth of benefits that come with a distributed workforce, one of the downsides is that your systems and data are open to increased risk.
That’s why it is more important than ever to take Security Awareness Training seriously - to care about making it engaging, informative, easy-to-understand, and interesting all at the same time.
One of the problems with Security Awareness Training, one of the reasons it evokes feelings of - and I don’t think it’s too dramatic to use this word - dread amongst most employees is because it is typically designed to be a one-time, annual training that employees must sit through so they can check a task and move on with their day. They don’t have a reason to care about it, they just need to complete it.
In cultures that truly value and prioritize security, awareness is woven into everyday life at your company - just like other company values such as “Transparency” and “Open Communication” and “Be Obsessed With the Customer” etc.
I mean, why don’t we create Slack channels where employees get shoutouts for properly reporting Phishing attempts to the CISO?
We believe that it’s cool to care about security. We envision a world where security education is ongoing, where the goal is true understanding and information retention rather than completing an obligatory task, where there are no stupid questions, where open discussion is encouraged, and security experts are constantly advocating to ensure that security is valued by the entire organization.
Here are a few ways to ensure security is valued across your workforce:
- Make it Fun: Start a Slack channel celebrating security wins and shoutouts (like when someone reports a Phishing attempt, remediates a bug, etc.). Or, gamify it! Give people prizes for completing the training first or have a group jeopardy session to quiz people on what they learned. This generates more awareness and knowledge-sharing in a way that rewards those who consciously contribute to the security of your org.
- Regularly Share Tips: One of my coworkers used to create a weekly flier containing interesting facts and a brainteaser. He posted these fliers in common spaces like the office bathroom, so that people would have no choice but to read them. I learned a lot from those flyers and they contributed to a company culture that valued knowledge-sharing and constant growth/expansion. There are likely many ways to share quick tips or facts about security best practices, even in a distributed environment.
- Help Employees Understand That Everyone Shares Security Responsibility: Unfortunately, employees are often the weak link when it comes to data breaches. Your awareness program should make it clear that there are baseline best practices that EVERY employee, regardless of role, can utilize in order to individually and collectively protect customers and the business.
- Hold Regular Lunch & Learn Sessions: Rather than an annual/onboarding session, set up sessions more regularly where the security experts can educate other employees about specific security topics, to encourage a culture where it’s okay to still be learning and curious about security.
What are some ways you’ve built security into your company culture?