Engagement Is for Suckers: The Real Training Manifesto

With Tom Pendergast on vacation, the "anti-Tom" snatched the opportunity to give an "alternative" point of view on engagement in training. It's not pretty.

Notice: Tom is away on vacation.

He asked me to write this blog as a “reasoned counterpoint” to his insipid ramblings about “engaging training.”

“I trust you,” he said.

What a sucker.

Who am I?

I’m the anti-Tom. Remember the Seinfeld episode? I’m Bizarro Tom. I do the opposite.

You’ve heard that naïve drivel about how to engage your employees with your security training and awareness program, right? All that happy-sappy B.S. about trust and respect and clarity and decency … yadda yadda yadda.

You’ve got one goal: Covering your own butt. Making sure your job is done by ensuring everyone else does theirs. Period. The rest is noise.

A Different Way

You want to know the right way to run an awareness program? Ram it down their throats.

Two hours of training? So what!

Reduction in pay for repeated phishing failure? Damn straight.

You don’t like my daily reminder email? Suck it up.

It’s not that hard. In fact, I’ve written a manifesto. Here it is. Read it.

Get with the Program, Dummies: A Manifesto

Information Security is too important to leave to the soft-hearted and sympathetic. The proper principles for burning security habits into people’s brains are as follows:

1. Assume your employees are stupid and/or malicious. Every communication should remind them that you’re on to them.

2. Punish all transgressions. People will improve if they are rebuked and criticized. My motto: the beatings will continue until morale improves!

3. Require training. People pay more attention to what is required.

4. Make your training long. You made it required, now pack it full of every policy and requirement you’ve got.

5. Deliver the same training every year. Your time is more important than changing risks.

6. Make it serious, threatening, and dire. Security isn’t fun. Fun is for children; do you see any children here?

7. Use technical language. Info security is not for dummies. Show the simpletons all the complexity and technical detail that you’ve had to master. That way, not only will you be feared, you’ll be respected.

8. Record your own audio and video. People need to see and hear your disdain.

9. Don’t fall for gamification dogma. Rewards are for babies. Random time-outs or lock-outs keep people on their toes.

10. Remind everyone: we’re “checking the box.” Avoid all talk of the “larger benefit” of learning to protect data.

You’ll See Your Success by the Look in Their Eyes

The “experts” tell us to measure the success of our programs. That’s BS. Just keep pounding the training until you achieve perfection. You’ll know it when you see it. If there are any errors in human behavior, just keep pushing.

The great thing is, you’ll know when it’s working. Ask any employee what they think of your security awareness program. They won’t have to say a word. You’ll know your impact by the look in their eyes.

So, the next time that Tom tells you to “engage” your employees, remind him that you’ve seen the manifesto that will bring about REAL change at your company.

He’ll try to talk you out of it, but remember, that’s just a sign that he’s part of the “engagement” conspiracy: fake training.

Tell Tom I say hi.


Need More of Tom's Ramblings?

I don't see why you would, but you can find more of Tom's claptrap on his blog.

Click If You Dare

Share this Post