"A lot of awareness programs are simply ad hoc," he says. "A proper plan identifies who you are targeting and the scope."
In many cases, different targets-general employees/contractors, IT staff, help desk, senior management-will require different training programs.
"You need to teach absolutely everyone in your organization that touches any data," Spitzner says.
Once the targets are identified, the steering committee needs to determine what each target needs to learn. Spitzner recommends that instead of trying to teach a little bit of everything, the training program should focus on a few topics that will have a big impact. Each organization's needs and risks will be different, so a risk assessment on each topic would be helpful. Common topics include: passwords, social engineering, compliance, email and instant messaging, browsing and browsers, social networking, mobile device security, data protection and data destruction.
The steering committee then needs to determine how it will engage employees.
"How are you going to communicate this? You have to think of awareness as a product," Spitzner says. "You have to think of engagement. Don't focus on the benefits to the organization. Focus on the benefits to the employees. In most cases, this education benefits employees both in their personal life and in the organization. If you focus on the benefits people get in their personal life, you get tremendous engagement, tremendous benefit."
Take a Modular Approach
Spitzner also recommends avoiding monolithic, hours-long training. Instead, he says, take a modular approach to topics. The modules could be as short as three to five minutes. Primary training should consist of a mix of short videos and onsite training, with newsletters and even sanctioned phishing assessments for reinforcement. Facebook feeds, twitter feeds, posters and flyers can also play a role. It's important that employees receive primary training once a year and then reinforcement through continuous touching throughout the year, Spitzner says.
Finally, the program requires metrics that measure employee engagement with the program and how their behavior changes as a result. The program should be reevaluated and updated at least once a year based on the metrics.
Sign up for CIO Asia eNewsletters.