Publish date: 15.12.22

Some form of human error or misjudgement is involved in the majority of data breaches, including not only the failure to identify a phishing attack, but also system misconfiguration, data misuse or mis delivery, and the use of weak credentials. This indicates that traditional approaches to security awareness training are no longer effective. Gartner foresees the continuing emergence of a new type of program to replace traditional training: a security behaviour and culture program (SBCP).

Previous Blog: #3 Identity Threat Detection & Response

Traditional training falling flat

You’ve probably experienced this yourself. Once or twice a year, it’s announced that all employees must complete the security awareness training program by a certain date in order for the company to remain in compliance with regulations. Literally everyone in the company regards it as an unwelcome chore. You put it off as long as you can, and when you finally decide to tackle it, you try to crash through it as quickly as possible, just to get it over with. The program itself is written by cybersecurity experts, with the aim of conveying cybersecurity information efficiently and testing employees’ comprehension of it. You can only engage the program through a single type of device and portal. And the program is identical for everyone, completely static, and — especially for the younger generation of workers who come with high digital aptitude and cyber literacy — not successful at either conveying new information or instilling any kind of passion or motivation for adopting secure practices. To the extent that it affects corporate culture, it primarily instils a shared sense of disdain and impatience toward security awareness training.

New approaches

Compared to the old, cliched training programs that are primarily intended to achieve compliance, the new SBCP programs take seriously the task of reducing cyber risk by effecting real, lasting change in employee behaviours and in the corporate culture overall. As growing numbers of business technologists are empowered to make cybersecurity judgments on a day-to-day basis in the course of their work, they need to acquire habits of thought and patterns of behaviour that go beyond merely spotting phishing emails and responding appropriately. In order to achieve this, modern SBCPs are built not exclusively from a cybersecurity perspective. Instead, they integrate multiple disciplines in order to operate more like a classical, full-fledged marketing campaign, rather than like an old-school security awareness campaign.

This means that multiple non-cybersecurity competencies must come into play, such as:
– Marketing and public relations
– Human-centric design principles
– Organisational change management
– Psychology and sociology

Getting ahead of the trend

As a leader in security and risk management for your organisation, your goal should be to drive a cultural change that gives all workers engaging with digital systems effective cyber judgment skills, along with a strong motivation to apply them in the course of their work. This will require you to become conversant with organisational change management and social science principles that can be applied to changing organisational culture.

In addition, you’ll need to collaborate with business leaders across the organization to ensure that everyone involved in business technology is exposed to culture-changing activities and can access training.

Finally, you want to engage with a cybersecurity training vendor that uses a platform-centric approach and provides innovative features that drive engagement and produce true behavioural change, such as:

– Real-world phishing simulations that are based on up-to-the-moment threat trends
– Gamification that publicly rewards high performers while also motivating lower performers to improve
– Adaptive, contextualised training based on performance
– In-the-moment nudges to drive improved judgment

If you would like to explore your options and this is something you feel your organisation needs to improve on, please don’t hesitate to reach out here.