Assess and Identify the Problem Areas
Before you get started, do an initial assessment to identify the problem areas, says Amy Baker, vice president of security awareness training strategy and development at Proofpoint. The assessment can be anything from a broad phishing test to a question-based cybersecurity knowledge assessment. "This knowledge can be used to inform the larger program that the organization rolls out, as each module selected can be targeted to improve a specific problem area identified in the assessment," Baker says.
But don't just assess current security capabilities and knowledge. Also evaluate employee attitudes before rolling out a training program, advises Lisa Plaggemier, chief evangelist at Infosec, a provider of IT security education and workforce security awareness services. "Do they view security as a roadblock, a barrier to time to revenue, or the 'department of no?" she says. "If so, you've got to change the culture, not just train people to spot phishing emails."
In addition, remember that you can't have a one-size-fits-all security-training program. Different roles have different needs, so you need to approach your program that way, too, Plaggemier says.
Image Source: Shutterstock