Why Security Training Matters
When we talk about training, our goal is to align the intrinsic motivations of a learner with the company's strategy and objectives. But if a training program is misaligned on either of these, the program will suffer either because the training is irrelevant or is perceived as a compulsory box that needs to be ticked. Therefore, building an effective security culture hinges on having a strong security training program. Developing a strong security culture is critical if an organization is to succeed in producing secure products.
But how do you construct a strong security training program? What are its components? How can you measure its success? These are all important questions. I will attempt to answer these as three principles from our own experience at Security Compass.
Principle #1: Align Your Implementation Plan
Once you have identified the need for security training, you require a successful implementation plan to successfully roll out security training across your departments. Start by hosting an internal kickoff meeting with appropriate stakeholders. Be aware that some departments may have a vested interest in your security program while others may be strong influencers. Be intentional about who you invite to the meeting and what you hope to achieve. Your agenda should include discussion points around the following:
Purpose and goals
- Agree on the reason and need for security training.
- Agree on the goals and objectives your security program will achieve.
- Agree on a governance model to drive accountability during development and after the program is rolled out.
- Decide on your technical lead(s) to drive any integration efforts.
- Decide on your instructional designer(s) who can validate or develop effective courses.
- Decide who will be responsible for testing your security training courses.
- Decide who will act as the Administrator with the responsibility for learner enrollment, course updates, etc.
- Decide who will report on the ongoing status of the program during development.
- Decide who will support the learners with program or course related questions.
- Review and decide whether your training program will address the needs of a department, specific role, or a general job function.
- Create a learning path so each learner will have access to the correct course content.
- Decide if the courses will be voluntary or mandated, and if learners will have a timeline to complete. We recommend having courses mandated with a 3-6 month completion timeline.
- Consult the Security Compass team for learning path bundles and recommendations.
- Discuss the best channels of communication, from direct managers, mass email or other communication platforms, and the timing of these communications.
- Consult the Security Compass team for sample communication plans, and best practices to assist in a successful launch.
Principle #2: Phase Your Rollout
You should not launch everything at once. Instead, de-risk your launch so that you have time to fix any unforeseen issues as they gradually arise. A soft launch is a good idea, and should take place approximately 4-6 weeks prior to a full scheduled rollout. This launch involves a handful of learners being enrolled in one or more specific courses, allowing enough time for them to complete the assigned courses and provide feedback. These learners should represent each department and/or team that will participate in training. This will allow slight changes to the implementation plan before the full launch.
Principle #3: Your Reporting and Tracking Should Drive Program Health
As the owner of your training program, you should review reports frequently, perhaps bi-weekly or monthly. Analyze the data and collaborate with the Security Compass team to learn how to increase participation as needed to ensure your goals are achieved. This information is especially useful if courses are mandated, or if incentives are used to help drive motivation and participation.
Drive Adoption and Participation
Now that you’ve met with your internal stakeholders, aligned on a solid implementation plan with clear ownership, goals, and communications, continue to drive participation. Here are some ideas:
Mandate specific courses
Many companies with the highest security training participation rates often have the same advice: ensure your courses are mandatory and have a strict, yet reasonable, deadline for completion. Review your requirements and align the roles of each learner to the course that best matches their needs. Mandate general security compliance courses, along with language-specific courses.
An incentive can be a great motivational tool and effective if the right incentive is used. Cash, gift cards, or items of monetary value may work. Other ideas include leaderboards with bragging rights, employee recognition, company swag, or career development using SSP certification. Alternatively, using restrictions can also help. If learners don't meet mandated deadlines, they may not be permitted to participate in certain projects. Be careful with negative incentives as they can sometimes delay critical projects and create the perception that your security program is a blocker.
Create reminders and notifications
Similar to the initial communication plans, have a regular cadence of reminders. For example, if your LMS allows, automate email reminders 90, 60, 30 days prior to the due date. Your learners are often busy and if a course is not mandatory for their job then training may be forgotten or deprioritized.
Your security training program should be focused and intentional as unclear objectives or alignment will lead to confusion among your learners and make it difficult to determine program success. By keeping your security training program focused on the learner and on alignment with business goals and objectives, you will have a stronger program with measurable impact.
For more information or help with the implementation, rollout, and adoption of your organization’s security training program, talk to us.