There is no shortage of pundits who claim security awareness training doesn’t work. And the truth is, there are a lot of programs that really do suck—but not all of them. The important thing is being able to tell the good from the bad. Here are four clear signs that your security awareness program sucks:
#1: If your security awareness training is boring, it sucks
Getting employees to pay attention to security isn’t easy—so why make it even harder with deadly boring PowerPoint slides or stand-up training? The only “awareness” these things bring about is just how numb your backside gets as you sit through them. Surprisingly few training providers seem to understand the art and science of online training that captures attention, engages the learner, and actually creates and sustains awareness. Good training keeps things interesting with a variety of media, lively interactions, and relevant content. But boring training? That always sucks.
#2: If your security awareness training ignores the ways people learn, it sucks
If the concept of adult learning principles is new to you, there’s a good chance your awareness program sucks. Successful adult learning gets peoples’ attention; communicates relevant information; builds confidence that they can master the content; and leaves them with a satisfying learning experience. If your program isn’t tapping your employees’ inherent curiosity and willingness to learn, it probably sucks.
#3: If your training is a one-time annual event, it sucks
Do you think security awareness training is a “once and it’s done” kind of exercise? If so, your program likely sucks. The fact is it takes many exposures to a message before it sinks in, and perhaps many more before it becomes realized as behavioral change. The health and wealth of your organization may well depend upon your employees keeping security top of mind. What they do really matters. That’s your message, and it bears repeating with a reinforcement program that echoes the message of your training, thus creating a sustainable security-aware culture. Anything less just sucks.
#4: If your security awareness training seeks only to check the regulatory compliance box, it sucks
Security awareness training designed just to check a regulatory compliance box is a useless exercise. To truly move the security needle, you need a program that will actually change users’ behaviors and help you build a culture of security awareness in your organization. A “compliant” but security-clueless organization? That sucks.
At MediaPro, we’ve been helping companies create security and privacy awareness training and reinforcement programs that don’t suck for 20 years. Let us know if we can help you.