Executives should view security programs as change management initiatives, emphasizing vision for employee engagement.

Rob Rashotte, VP, Global Training and Field Enablement, Fortinet

September 7, 2023

4 Min Read
The blue gradient arrows copy space, progress, achievement concept
Wirestock, Inc. via Alamy Stock

As cybercriminals are successful and the daily task list for your security team expands, your staff need to set aside time for updating and improving their abilities. But more effort needs to be made to ensure that all staff are receiving effective cyber awareness training and that it’s not treated as just a one-and-done activity or a check-the-boxes task.

In actuality, security awareness and training initiatives are change management and risk mitigation initiatives and they need to be treated as such. That requires executive buy-in at the highest level. It’s incumbent upon security leaders to ensure such initiatives are tied tightly to the organization’s overall goals, whether this is a risk mitigation, brand reputation or other goal. Without such buy-in, these initiatives risk becoming a short-lived training project with minimal impact on an organization’s security posture.

McKinsey reports that 70% of change management programs fail to achieve their goals. But they also found that “when people are truly invested in change, it is 30% more likely to stick.” By educating yourself about effective change management process -- and how to apply it to cybersecurity training -- you will create a foundation for success.

More Attacks, More Targeting 

Cybercriminals are becoming more sophisticated all the time, and their ranks are growing. Data from a recent global ransomware report shows that 50% of enterprises experienced a cyber-attack and that two-thirds of them were targeted by ransomware. Additionally, according to the recent threat landscape report, the number of ransomware attacks increased by 16% from the preceding six months.

Consequently, training must be conducted in an ongoing manner to keep employees updated on the latest trends and risks. And that’s why it needs to be thought of as an ongoing part of organizational policy rather than just as “yet another” training program. 

Changing Course Requires Communication

Too frequently, cybersecurity awareness projects are started in the expectation that providing required training will alter behavior and strengthen the organization's security posture. Yes, that’s the goal but it's not that simple. You need to create a program vision and select meaningful metrics that are outcome driven. Make sure you can convince the leadership of your project’s business value. Learners will be more responsive to the program if its objectives and importance are made clear. This is the critical first step in change management. Staff need to know that they are participants in the change -- in fact, that this change cannot happen without them -- rather than feeling like passive recipients or even victims of the change.

Look for ways to express this vision. These messages should ideally come from more than one member of your company’s leadership team, and leaders should convey them on a regular basis through various communication channels, including a quarterly all-hands meeting.

3 Best Practices for Security Training

To create the kind of security training and awareness that's needed today, make sure to implement these three best practices: 

1. Teach on pertinent topics: The subjects you must cover in cyber-awareness training will change as the threat landscape does. Clearly, every training program needs to address a number of important areas of concern, such as ransomware, phishing attempts, remote work, passwords and authentication, social engineering and more. Include risks that are specific to your company or industry, and frequently analyze the content to make any necessary adjustments or additions.

2. Think about context: The audience participating in your training program should determine the content you provide. That is, different groups within your company will gain from customized training materials. For instance, your software engineers and other technically oriented staff members may require knowledge of IP protection or the potential repercussions of writing unsecured code. The dangers of opening a link or attachment, as well as how to recognize phishing emails, must be clear to administrative staff. Although the fundamental ideas presented in training sessions may be the same for both groups, it is advantageous for a number of reasons to provide the content within its appropriate context. To begin with, this enhances the likelihood that students will take the training seriously and have a better understanding of their particular role in the organization's security.

3. Create a plan for long-term engagement: Training in cyber-awareness is not something you can do once and then forget about. Consider these programs as change-management initiatives with a sizable training component rather than training programs. Determine the "nudge" approaches you'll use to encourage staff to interact with the content, as well as how frequently you'll update the organization on the endeavor.

A Change for the Better

There’s been an ongoing message that employees are the weakest link in security, but it’s key to switch up that message and debunk this mindset. Instead, companies are realizing that employees can be their first and possibly best line of defense. To make this a reality, though, organizations must often undergo a shift in how they look at security and awareness training.

Rather than executives and security leaders thinking of these initiatives as “just” training programs, they should be thought of as change management initiatives with a significant training component. As with any change management initiative, it is important to first establish a vision and future state of the organization. While this seems rather rudimentary, it is a crucial step in earning employees’ buy-in, engagement and later implementation of any security trainings. The information and best practices outlined above will set your organization on a course toward more consistent and stronger security.

About the Author(s)

Rob Rashotte

VP, Global Training and Field Enablement, Fortinet

Rob Rashotte is the vice president, global training & technical field enablement at Fortinet. He has 20 years of experience developing training and education strategies for startups as well as complex global organizations. He also has 15 years of experience working with some of the most innovative, fast-paced companies in the high-tech industry. Rob has an MBA from the University of Ottawa.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights