Besides increasing training, I'd like to bombard employees with security awareness reminders, since frequent reminders reinforce once-a-year exercises. For example, I plan to push security awareness screen savers to every Microsoft endpoint. In our break areas, we have monitors that display sales quotas, marketing materials and other company announcements. Why not include a security awareness slide from time to time?
Finally, to measure the effectiveness of the awareness training, I plan every once in a while to send out emails disguised as phishing attacks, then collect statistics on how many employees take the bait. If I've done my job correctly, that number should decrease over time.
Sign up for CIO Asia eNewsletters.