After two long years of virtual conferences, it was a fantastic opportunity to see so many customers and colleagues at the NCA’s recent Security Training and Awareness Conference.

And during the event, I saw that after all of these years, the market is beginning to shift its language and to see the value in three key areas.  

These three areas felt very familiar to me. While the market was focused on the language of awareness and training, we spoke about readiness and learning, and how to impact real behavioral change.  

Awareness vs Readiness

There are a number of reasons why the idea of awareness never sat right with me. First of all, it purely represents the input of the training manager – whatever actions the trainers are taking in order to make employees aware of cybersecurity risks in the way that they work. Training managers implement awareness techniques and campaigns in order to try to prove behavioral change on the part of their employees.  

A smarter approach has always been to focus on the other side of the equation – the output that the employees create. If the input is awareness, the output is readiness. How ready are your employees to face today’s cybersecurity risks? This is a practical definition that can be planned, executed, and critically – measured.  

Entertainment vs Learning 

The next shift is from the idea of training to learning. This can be looked at similarly through the lens of input vs output. Instead of looking at what the trainers can provide, (and at the moment the trend appears to be videos and games, leaning on gamification and fun to try to make training more engaging) trainers need to understand how employees learn. We’re not looking to entertain our learners, we’re not even looking to communicate with them directly most of the time. We’re simply looking to help them to learn and adopt new behaviors behind the scenes, and then measure the output of that learning in terms of their behavioral change. 

To do this, we don’t need trendy training techniques and gamification. Instead, we ask ourselves, what are employees’ learning triggers? How can we provide opportunities for them to practice and repeat what they need to know in a real-world setting? Which measurements will help us to track their behavioral change over time?   

Checking the Box vs Behavioral Change 

One traditional approach to cybersecurity awareness is certifications. The CISO makes it a requirement for the whole business to take Cybersecurity 101 and then marks all employees as successfully trained. Mission accomplished, and security awareness training can be checked off the organizational to-do list.  

However, what has actually been achieved here? We all know there is no such thing as totally secure when it comes to phishing scams and security readiness. Hackers are only growing more persistent, and there are thousands of automated kits which continuously attempt to breach your employees’ defenses by manipulating their fear, trust, or mood. Sitting in a class while a trainer reads to you from a slide deck doesn’t make you ready. The same is true when playing funny or cool videos. All it does is create a false sense of security for your employees that they don’t need to be vigilant, as they are fully prepared, and have the certificate to prove it.  

It’s important to focus on supporting employees to practice new and expected behaviors, creating a continuous learning culture rather than a check-box initiative.  

It’s not about us sitting and training blank slate employees and imparting over our wealth of information. Employees aren’t blank slates – they have plenty of knowledge. What they need is learning opportunities – the chance to practice and repeat desired behaviors. As we know that learning is most impactful at the moment of need, we support employees with various phishing simulations that, when clicked on, provide short, actionable learning moments for the user. The repetition helps employees to create cognitive generalizations along with specific and contextual knowledge bites. We can then measure the response to these simulations, providing us with real-world data on behavioral change.  

It was fantastic to see these themes being recognized and understood by the industry at this year’s NCA conference. I can’t wait to see how this new level of understanding contributes to a more effective, resilient, and ready landscape for today’s businesses. 

Learn more here: CybeReady.com 

Guest Contributor: Mike Polatsek, Co-founder and CSO at CybeReady