Don't make security awareness training a punishment
E By Dan Lohrmann Chief Strategic and Chief Security Officer for Security Mentor
very technology leader wants a security-aware, cyber-savvy enterprise culture. But what does that mean and how can we get there? There is an ongoing debate regarding security awareness training techniques, engagement and overall effectiveness. Let’s explore… Creating an enterprise-wide “culture of security” is almost always listed as a top priority for experienced security and technology leaders in the public and private sectors. Back in early 2007, when I was Michigan’s chief information security officer (CISO), I remember being interviewed by Bill Jackson at Government Computer News (GCN) about a long list of security topics. Here is how that interview ends: GCN: What's the biggest challenge left? LOHRMANN: Continuing to work on the culture, to help people understand how important security is at an individual level. ... Helping people understand the impact of their actions, I think that's the biggest challenge. Fast-forward more than a decade and I believe transforming the security culture remains our greatest challenge as we head toward 2020. But, how can we get to this elusive “culture of security” while balancing the cost,
38 | Australian Cyber Security Magazine
benefits and many other business priorities we face? As we think about people, processes and technology, what can we do to enable people and reduce risk over time? Can “Just in Time” Training Help? One answer that I am seeing and hearing more about is “just in time” training (or just-in-time learning). According to ShifteLearning.com, there are many practical examples and benefits of just-in-time learning: “It is walking down to the desk of a more experienced co-worker to ask for a solution when you get stuck on a project. It is looking up Wikipedia when you come across a novel concept during your browsing sessions. It is calling up mom when you want advice on a recipe. Just-in-time learning is having access to knowledge just when you need it. It is not having to wait till the public library opens or you can catch hold of a subject matter expert. The concept has its origins in the world of manufacturing. In the manufacturing industry, efforts are made to lessen inventory costs and reduce wastage by perfectly synchronizing the manufacturing and distribution of products to the exact time when these are needed.” The articles goes on to list many benefits of just-in-time