6 Security Training Hacks to Increase Cyber IQ Org-Wide
Move beyond generic, annual security awareness training with these important tips.
September 21, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt02862389c7fe2cdb/64f0d66ab4c2364e9f4fdad5/01-traininghacks.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Some of security's toughest nuts to crack are the vulnerabilities introduced by the human element. Users are duped by phishers every day. IT operations staff configure infrastructure insecurely over and over again. Developers repeatedly write code in the same insecure fashion. Executives are tricked by business email compromises into wiring large sums of money directly to crooks. And IT security staff is asked to carry out near impossible feats of digital protection because they themselves are poorly trained to set up the tools and practices they need to keep up with attackers.
Clearly something has got to give. Security pundits agree that if organizations are going to make a real dent on cyber-risk, they need to start taking security training to the next level. Here are six suggestions for moving beyond generic annual awareness training and truly increasing cybersecurity IQ across the entire organization.
General awareness training should also just be a start for the organization. Organizations should teach everyone the basics about how phishing scams work, how to protect their devices on the road, and so on. But they should also consider doling out specialized training based on users' roles and access to sensitive systems.
"I'm starting to see more companies diversify their training," says Dawn-Marie Hutchinson, executive director in the office of the CISO for Optiv. "So application developers are getting this cybersecurity training, finance is getting that one or business operations gets a different one because certain policies are written into their job description and it needs to be part of their job function."
If security teams are going to keep other employees invested in defending the organization, the least they can do is throw these users a bone every once in a while. There's nothing that puts the brakes on a strong security culture than obtrusive security tools that impede users from getting their jobs done.
CISOs should seek tooling that's as transparent as possible, recommends Rodrigo Montagner, CEO and founder of OM2 TECH."Keep it soft at the front end," he says. "Keep end user experience neat without plastering and weighting infrastructure too much."
Enterprises with cybersecurity groups that are struggling with burnout should keep in mind that while security is a specialized discipline, it shouldn't be a service "provided by an ivory tower of practitioners," says David Emerson, deputy CISO at Cyxtera Technologies.
"Security is something an IT organization must weave into its culture - something which all influential individuals, from the network engineers to the DevOps and automation staff, must hold in as high regard as they do their design, implementation, and maintenance work," he explains. "Cross-training, outside the security organization can mitigate a large number of perceived gaps in enterprise skills."
Many hands make light work, and the more that the entire IT staff can be trained in security practices the easier it will be to distribute labor and better bake security into the IT workflow.
Some of security's toughest nuts to crack are the vulnerabilities introduced by the human element. Users are duped by phishers every day. IT operations staff configure infrastructure insecurely over and over again. Developers repeatedly write code in the same insecure fashion. Executives are tricked by business email compromises into wiring large sums of money directly to crooks. And IT security staff is asked to carry out near impossible feats of digital protection because they themselves are poorly trained to set up the tools and practices they need to keep up with attackers.
Clearly something has got to give. Security pundits agree that if organizations are going to make a real dent on cyber-risk, they need to start taking security training to the next level. Here are six suggestions for moving beyond generic annual awareness training and truly increasing cybersecurity IQ across the entire organization.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024