7 ways to improve security awareness & training
Although 7 Ways to Improve Employee Development Programs by Keith Ferrazzi in the Harvard Business Review is not specifically about information security awareness and training, it's straightforward to apply it in that context. The 7 ways in bold below are quoted from Keith's paper, followed by my take.
1. Ignite managers’ passion to coach their employees. I quite like this one: the idea is to incentivize managers to coach the workforce. As far as I'm concerned, this is an inherent part of management and leadership, something that can be enabled and encouraged in a general manner not just through explicit (e.g. financial) incentives. For me, this starts right at the very top: a proactive CEO, MD and executive/leadership team is in an ideal position to set this ball rolling on down the cascade - or not. If the top table is ambiguous or even negative about this, guess what happens! So, right there is an obvious strategy worth pursuing: start at, or at the very least, include those at the very top of the organization ... which means taking their perspectives and addressing their current information needs, preferred learning styles and so forth (more below: directors and execs are - allegedly - as human as the rest of us!).
2. Deal with the short-shelf life of learning and development needs. 'Short shelf-life' is a nice way to put it. In the field of information risk and security, the emergence of novel threats that exploit previously unrecognized vulnerabilities causing substantial business impacts, is a key and recurrent challenge. I totally agree with the need to make security awareness an ongoing, ideally continuous activity, drip-feeding workers with current, pertinent information and guidance all year long rather than attempting to dump everything on them in a once-in-a-blue-moon event, session or course. Apart from anything else, keeping the awareness materials and activities topical makes them more interesting than stale old irrelevant and distracting junk that is 'so last year' (at best!).
3. Teach employees to own their career development. An interesting suggestion, this, especially for the more involved infosec topics normally taught through intensive training courses rather than general spare-time awareness activities. I'm not sure off-hand how this suggestion would work in practice, but it occurs to me that periodic employee appraisals and team meetings provide ample opportunities to offer training and encourage workers to take up whatever suits their career and personal development aspirations.
4. Provide flexible learning options. This hardly needs saying, does it? Maybe it is news to some that 'on demand' learning can usefully exploit workers' free-time, filling-in odd moments in the working day that would otherwise go to waste. It's not quite as simple as that in that the awareness and training content should be appealing, engaging and worthwhile for the individuals to encourage them to participate, which in turn means it ideally needs to be developed by creative professionals with a good appreciation of both the audiences and the learning content. There's more to it than making stuff 'accessible'.
5. Serve the learning needs of more virtual teams. For me, this goes hand-in-hand with suggestions 1 and 4. 'Virtual teams' comprised of geographically-dispersed social groups present both opportunities and challenges for security awareness and training, especially if you accept that 'the virtual team' extends way beyond the organization these days.
6. Build trust in organizational leadership. Keith asserts provocatively that "People crave transparency, openness, and honesty from their leaders. Unfortunately, business leaders continue to face issues of trust". Hmmmm. If true (and I'm not at all sure I accept that, at least not as a general statement of fact), it undermines all aspects of management and leadership, not just security awareness, making this a more fundamental and potentially very serious issue for corporations. On the other hand, Keith's suggestion to “lead by example” is sound, regardless of how deep the issues go. For me, this is another inherent part of management, leadership and motivation - a word that is conspicuously and curiously absent from the HBR article. Openly addressing "What's in it for me?" is an obvious means of motivating people, especially if coupled with both enforcement and reinforcement - in other words, don't just threaten to hammer people for doing the wrong things, entice them to do the right things though rewards and incentives of all sorts (again, not just financial).
7. Match different learning options to different learning styles. It is hardly rocket-surgery to suggest that individuals vary in their preferred 'learning styles', and although Keith only refers to Millennials using "cell phones, computers, and video games consoles", it's not hard to interpret this advice much more openly. For example, some people prefer to discover/learn stuff by reading, others by being told, others by doing. Some of us consider stuff before either accepting and internalizing it, or rejecting it, or (as with this blog piece) adapting and incorporating information and advice into a broader framework known as 'experience'. Some prefer to be told, simply and straightforwardly (and in far fewer words than this blog) what to do or not to do (lists of up to seven items for instance ...), and may only engage to the extent necessary to read the instructions, or view a diagram. Some "don't have the time for this", and some of us just love to explore the topic at our leisure. A few naturally resent being told to do anything and will rebel ... unless they are persuaded that it's in their best interests to comply (which can be tough!). Most of us have our interests and concerns, plus our non-interests and unconcerns, and we all differ, hence any attempt to offer a one-size-fits-all approach to security awareness and training is (I believe) doomed to failure.