It is widely documented that users are the biggest vulnerability in our cybersecurity ecosystem.  Technical solutions and policy are all foundational and necessary, but a single careless user or a deliberate shadow IT practitioner can easily expose the business to serious threats.  As a result, companies are increasingly looking for effective methods to train their employees to mitigate against the user risk.  I see three keys to user training and all of these must be addressed from the executive leadership level.

First we need to make sure we have the right strategic business objective for the training.  Security professionals and curriculum developers are good at writing courses to cover everything from two factor authentication to proper use of file sharing services.  But, all of that training is going to fall on, at least semi-deaf ears, if you do not get employee buy-in on the importance of standards of behavior on the network.  Employees from the most junior level to the C-Suite must believe that information security is critical to the success of the company, that there will necessarily be tradeoffs between convenience and security and that they can connect the dots between their personal future with the company and adherence to security policies and standards.

One you convince employees that their future is tied to their behavior on the network, then you need to conduct effective training.  Once during onboarding, or even annually is not sufficient.  Plus, it cannot be the same old computer based slide show if you expect people to be engaged and get something out of it.  The threat changes daily and so does the technology in use by the company.  Short, frequent, relevant training that is designed to engage the users is the key to success.  Unfortunately, few training programs meet this criteria.

The second key to success is making sure there are processes in place to validate that the training worked.  All of us have been subject to mind numbing slide show presentations spiced up with cute memes and forced on us with deadlines right around the holiday break.  Training delivery clearly needs to be improved and we cannot stop there.  We have to test the validity of the training.  Phishing exercises, scans for unauthorized USB devices and automated logging of file sharing and selected web activity are all ways to see if the training is effective.  Additionally, we need regular incident response exercises that touch the whole company, not just IT and security.  And then we need to close the loop.  When we discover individual violations determine if it was a training problem and if so adjust the training.  From the exercise perspective, make sure we capture lessons learned, not just lessons “observed,” and make the appropriate adjustments to the playbooks.

The third key to better training is accountability.  In every company there are standards of behavior pertaining to key business processes.  Some are regulatory, others are safety related and many are just designed to ensure the business is protected and can grow.  In all of those areas, we ensure people are trained and qualified to do their jobs, and if they fall short we hold them accountable.  We need to treat information security the same way.  If we have trained you on the policies and taught you to use the technology, then you must be held accountable for doing your part.  Without accountability throughout the management chain, this all becomes a problem for the CIO and CISO, and they cannot close the user vulnerability gap alone.

Make sure employees internalize the strategic rationale for security training, ensure that you have a good program by training and verifying, and in the end, enforce a level of accountability that fits your company culture when it comes to information security.