Sjouwerman says its three-step process from establishing a baseline test, finding the results and training “everyone from the mailroom to the boardroom.” Tests, he says, must be done on a regular basis to keep employees interested and learning.
The experts are mixed on the new trend for ‘gamifying’ training, though. Sjouwerman says that phishing games between departments can drive lower click rates, but Wood stresses that it must not be a gimmick, and must be joined up with an existing program.
Next year his firm is working with a UK charity to build red teaming exercises into their annual conferences. “People do enjoy it,” he says.
Incentive the users
Wood admits that the biggest challenge is continuing the program, making it year round, something he says requires time and money. In the ideal world, he says each business should have security evangelists keeping up with the threats, and thinking creatively how training should take place.
Media reports can be used to keep a buzz around security, especially if breaches are local or industry-relevant.
The experts argue too that you can incentive employees on training. Some say if you use a phishing reporting tool, or have some other way of measuring end-user security awareness; you could award top employees with a gift at a company gathering. It's a positive way of recognizing excellence and reinforcing behavior.
Sjouwerman sees advantages to both the ‘carrot’ and ‘the stick approach’, but advises CISOs to enlighten employees on how this knowledge can be used at home for their own personal security.
Richard Starnes, CISO at the Kentucky Health Cooperative, agrees and tells CSO: “In my company’s awareness program, we break down the skills and relate them to things you would do to protect yourself at home.
“Show someone how to keep their children safe online at home and those skills easily translate to make your company safer at work.”
Starnes, who urges CISOs to establish KPIs to establish training effectiveness, adds: “There cannot be a culture of blame. I would rather have someone recognize they have made a mistake and notify security. If they do not notify security because they are concerned they may be punished, your awareness program has failed at the worst possible time.”
Sign up for CIO Asia eNewsletters.