It's also essential to treat your security awareness program as a communication exercise — essentially a change management problem. IT and the security function may not have the skills to make that happen, so Conrad suggests partnering with the training organization or the marketing organization to most effectively get the awareness training across.
"Anytime you can communicate a message to a person and make it personal, you're going to be much better off," Conrad says.
For instance, foundational training could show employees tools and best practices they can use at home to protect their children and other family members. They can then apply those tools and practices on the job.
"That's a very reasonable way to approach it," Conrad says. "Tie in that emotional hook. Make it real and personal."
Sign up for CIO Asia eNewsletters.