4 tips for implementing a security awareness solution

It is essential for every organisation to have staff that is cybersecurity aware. Everyone needs to understand what security risks are threatening an organisation, what the impact of a breach will have on their business, and how to understand and comply with industry regulations. A good level of security awareness within an organisation reduces the risk of breaches and downtime of your organisation.

Security Awareness Skills Gap

I get a lot of questions lately on how to tackle security awareness skills gaps in organizations. So I decided to dive deeper into the ecosystem of security awareness solutions currently on the market. Since COVID-19, security awareness has become paramount for all organizations. But how do you train your employees on a large scale?

There are many digital security awareness training solutions out there (e.g. Kaspersky, EC-Council Aware, KnowBe4, Infosec, Mimecast) with quite similar offerings.

Some of the programs are based on measuring knowledge and then tackling the knowledge gap by delivering content and then measuring again. Others are more advanced including the usage of VR, mystery guest tests and phishing simulation. But the challenge is not choosing a solution, but understanding how your organization will use the solution.

Here are 4 key considerations which will save you time and help you determine how you will use a security awareness solution.

• What are your security awareness needs?
• What content suits your organization?
• Which modalities work for you?
• How will you manage the solution?

Here is a breakdown of the above:

What are your security awareness needs?

First of all ask yourself why you or your organization need this. Some organizations need security awareness programs because of compliance projects. Others deal with a lot of a sensitive data such as personal and payment data.

To better formulate your security awareness strategy you can use the Security Awareness Maturity Model from sans.org. This matrix can help you map out where your organization currently sits and it will also help you roadmap your future needs.

It describes in levels where you as an organization might be.

• Level 1: Non-Existent Program
• Level 2: Compliance Focused
• Level 3: Promoting Awareness & Change
• Level 4: Long Term Sustainment
• Level 5: Metrics

Based on a first analysis you will have a better view on what solution your organization might need.

What content suits your organization?

Not all companies are the same. Which is why it is important to have a training program in place to suit your organizations needs. For example a module that covers call center agents behaviours would not match a group of developers.

When developing a solution, make sure there is plenty industry specific content available. Also check  the content is being refreshed regularly.

A trial version is the best way to discover the quality of content. Another option is the possibility to use your own custom (bespoke) content.

Which modalities work for you?

I came across several ways to deliver digital training. EC-Council Aware works with challenges, where you are able to invite other players with a Kahoot integration. Knowbe4 has some excellent options besides the usual phishing tests such as the USB drive test – where you can actually create a USB drive with malicious content and throw it in the organization and see what happens.

Another important thing to consider is your organizations training mentality. Which type of content, tone of voice fits best with your organization? Make sure you can tweak that into your program.

How will you manage the solution?

To start building the right program, you should have a clear understanding of the current state of the organization. What are the behaviours at the moment, what is the current knowledge and skills gaps? Based on that, you can deliver a set of training programs and then evaluate the output and what was learned by measuring the results. In other words it is important to understand the impact the program has had on your staff and within your organization.

Most solutions in the market deliver a complete dashboard that allow visibility of the learning consumed and the corresponding scores. Since this is almost standard functionality, the more important question is: how will you maintain the dashboard and how will you use the insights to optimize your program?

In terms of management, keep in mind that a program or solution to raise security awareness will need to be managed and followed up closely. This will take time!

One thing to consider is defining your KPI’s before you start the program. For example, you want all your employees to complete a specific training module or program up to a certain levelbefore the completion date.

Conclusion

When selecting a security awareness solution, make sure you first have a clear understanding of the current state of your organization security behaviours. Then start with defining your learning goals and how you would measure success. From there you can determine the preferred learning delivery methods that match your organizations culture.

With these things in mind, the selection of security awareness solution will be a breeze and implementation will have a higher success rate.

More information

Would you like more information on how to implement security awareness within your organisation? Global Knowledge can help! Visit our Cybersecurity Training Page or contact us on training@globalknowledge.dk or +45 44881800.