English

Subscribe to our newsletter

1101 Connecticut Ave, Suite 450, Washington DC 20036.

© 2024

Copyright. Stay Safe Online, NCA. All Rights Reserved.

English

Subscribe to our newsletter

1101 Connecticut Ave, Suite 450, Washington DC 20036.

© 2024

Copyright. Stay Safe Online, NCA. All Rights Reserved.

English

Subscribe to our newsletter

1101 Connecticut Ave, Suite 450, Washington DC 20036.

© 2024

Copyright. Stay Safe Online, NCA. All Rights Reserved.

Loading the Elevenlabs Text to Speech AudioNative Player...

Cybersecurity for Business

May 24, 2022

|

4

4

4

Min Read

Did You Notice a Shift in Attitudes Towards Awareness Training at This Year's NCA Conference?

Mike Polatsek, Co-founder and CSO at CybeReady, reflects on Convene: Florida.

Awareness Training
Awareness Training
Awareness Training

After two long years of virtual conferences, it was a fantastic opportunity to see so many customers and colleagues at the NCA’s recent Security Training and Awareness Conference.

And during the event, I saw that after all of these years, the market is beginning to shift its language and to see the value in three key areas.  

These three areas felt very familiar to me. While the market was focused on the language of awareness and training, we spoke about readiness and learning, and how to impact real behavioral change.  

Awareness vs Readiness

There are a number of reasons why the idea of awareness never sat right with me. First of all, it purely represents the input of the training manager – whatever actions the trainers are taking in order to make employees aware of cybersecurity risks in the way that they work. Training managers implement awareness techniques and campaigns in order to try to prove behavioral change on the part of their employees.  

A smarter approach has always been to focus on the other side of the equation – the output that the employees create. If the input is awareness, the output is readiness. How ready are your employees to face today’s cybersecurity risks? This is a practical definition that can be planned, executed, and critically – measured.  

Entertainment vs Learning 

The next shift is from the idea of training to learning. This can be looked at similarly through the lens of input vs output. Instead of looking at what the trainers can provide, (and at the moment the trend appears to be videos and games, leaning on gamification and fun to try to make training more engaging) trainers need to understand how employees learn. We’re not looking to entertain our learners, we’re not even looking to communicate with them directly most of the time. We’re simply looking to help them to learn and adopt new behaviors behind the scenes, and then measure the output of that learning in terms of their behavioral change. 

To do this, we don’t need trendy training techniques and gamification. Instead, we ask ourselves, what are employees’ learning triggers? How can we provide opportunities for them to practice and repeat what they need to know in a real-world setting? Which measurements will help us to track their behavioral change over time?   

Checking the Box vs Behavioral Change 

One traditional approach to cybersecurity awareness is certifications. The CISO makes it a requirement for the whole business to take Cybersecurity 101 and then marks all employees as successfully trained. Mission accomplished, and security awareness training can be checked off the organizational to-do list.  

However, what has actually been achieved here? We all know there is no such thing as totally secure when it comes to phishing scams and security readiness. Hackers are only growing more persistent, and there are thousands of automated kits which continuously attempt to breach your employees’ defenses by manipulating their fear, trust, or mood. Sitting in a class while a trainer reads to you from a slide deck doesn’t make you ready. The same is true when playing funny or cool videos. All it does is create a false sense of security for your employees that they don’t need to be vigilant, as they are fully prepared, and have the certificate to prove it.  

It’s important to focus on supporting employees to practice new and expected behaviors, creating a continuous learning culture rather than a check-box initiative.  

It’s not about us sitting and training blank slate employees and imparting over our wealth of information. Employees aren’t blank slates – they have plenty of knowledge. What they need is learning opportunities – the chance to practice and repeat desired behaviors. As we know that learning is most impactful at the moment of need, we support employees with various phishing simulations that, when clicked on, provide short, actionable learning moments for the user. The repetition helps employees to create cognitive generalizations along with specific and contextual knowledge bites. We can then measure the response to these simulations, providing us with real-world data on behavioral change.  

It was fantastic to see these themes being recognized and understood by the industry at this year’s NCA conference. I can’t wait to see how this new level of understanding contributes to a more effective, resilient, and ready landscape for today’s businesses. 

Learn more here: CybeReady.com 

Guest Contributor: Mike Polatsek, Co-founder and CSO at CybeReady

Featured Articles

How to Make Cybersecurity Training Accessible

How to Make Cybersecurity Training Accessible

Does your training program reach all employees in your organization?

How to Make Cybersecurity Training Accessible

How to Make Cybersecurity Training Accessible

Does your training program reach all employees in your organization?

How to Make Cybersecurity Training Accessible

How to Make Cybersecurity Training Accessible

Does your training program reach all employees in your organization?

 Facebook Hacked

What to Do if Your Business Facebook Is Hacked

There has been an uptick in cybercriminals attempting to target small businesses' Facebook profiles and ad accounts.

 Facebook Hacked

What to Do if Your Business Facebook Is Hacked

There has been an uptick in cybercriminals attempting to target small businesses' Facebook profiles and ad accounts.

 Facebook Hacked

What to Do if Your Business Facebook Is Hacked

There has been an uptick in cybercriminals attempting to target small businesses' Facebook profiles and ad accounts.

Tags

Training and Awareness