Annual Security Awareness Training is a Waste of Time

Nick Santora | December 19, 2017

It’s that time of year again. December is a time for the holidays. With that, comes time to travel, eat great food, visit family & friends, and wrap up another year of great work. If you are like most organizations, you have some busy work to do as well. Complete your annual reviews, fill out healthcare forms, and make sure you complete your annual security awareness training. We are going to discuss the reasons why annual security awareness training is a complete waste of time for your company, your employees, and the security culture of your organization.

Why Annual Security Awareness Training?

Your employees receive an email stating, “complete required annual security awareness training.” What do you think their first reaction is? “This is a waste of time!” “Why do they do this to me every year?” “I am just going to click next as fast as I can!” “This is so cheesy.” Believe me, these are only some of the comments we can write on this blog, I am sure you have heard and experienced much worse.

Your company might have a compliance obligation or policy that states every employee must complete required annual security awareness training. Sometimes you can’t get around this, but the implementation is wrong. You should first understand why you even have a security awareness policy in place. Think about it. Why would you have your employees complete any type of security awareness training? It is probably to help educate and train them on implementing and practicing better security behaviors, right? Your goal is to help change their behavior on following best practices to create a more secure environment.

“Do you truly believe you are accomplishing that goal by delivering a once a year death by PowerPoint experience?”

Developing a Security Culture

Let’s take a look at security through a different lens. Imagine I am your fitness coach. My job is to help get you in shape, eat healthy, and become more health conscious in your daily diet and exercise decisions. So what are we going to do? Well, how about this plan, I am going to get you on a treadmill and we are going to run for a half hour while lifting weights all at the same time. Then right after that, we are going to eat a salad and drink a smoothie. Perfect, now I will just make you sign a document that said you have completed your fitness training. With that, I say that I will see you next year, same time, same place, same activity. Perfect, now you’ll be in great shape throughout the year because of this.

Absolutely not.

security awareness december

Let’s take a look at a better approach. I would meet with you to get an initial understanding of what your goals are. We would determine where you have had challenges with fitness and healthy eating in the past. We would then discuss a plan on how we are going to move forward. From there, we would establish a baseline of fitness for you. We would discuss healthy meal plans, exercise routines, and how to apply fitness in your everyday life. Then, we would also check in periodically and see how the plan is going and make adjustments based off any metrics we are gathering.

This concept is exactly how a security awareness program works. To build awareness, it must be spread out throughout the year in consumable, bite sized conversations. Once a year security awareness training is great for checking a compliance box, but is completely ineffective when it comes to actually protecting your organization. Employees expect information in simple, clearly communicated language. Gradually educating employees throughout the year allows for an understanding of concepts similar to the way chapters in book are broken out.

By spreading content throughout the year, you can focus your efforts on those concepts to be well understood by your employees. Overwhelming employees with information is like trying to cram for an exam. Cramming information might get you to pass the test, but we are not trying to only pass a test here. We are trying to change long term behaviors. We are trying to defend our organization from the continuous ongoing cyber threats and attacks our employees face every day. We are building a security culture.

Change is Not Built Overnight

Change is not accomplished overnight. It takes consistency and repetition to get it right. If you want to build a truly effective security awareness program, you cannot deliver a once a year death by PowerPoint and expect change. The effort you put into the program will be reflected by the output from the employees participating. If security is seen as a roadblock, it is your job to show that security should be part of their everyday practices. You need to show your employees how simple implementing security behaviors can be in their everyday lives.

Just like in the health example above, with just one annual session in the gym, you will not see an improvement. But, after several sessions and a repeatable routine of following the plan, you will see improvement. The same concept applies to your security awareness program. If you create a plan and follow that plan consistently with your employees, I promise you that change will occur. Employees will change their behaviors and security will become a part of your company culture. Change begins with a solid plan and continues with the drive to execute that plan.

If you are looking to make a change from your boring annual security awareness training to an immersive security awareness program, reach out we would love to help.

Author: Nick Santora
  • Nick Santora

CISSP, CISA, Chief Executive Officer of Curricula.